Malware Analysis Report

2024-11-13 13:46

Sample ID 240721-eym89sthnb
Target F946CEB3DFBC4802323F045E77B9FC63.exe
SHA256 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a
Tags
dcrat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a

Threat Level: Known bad

The file F946CEB3DFBC4802323F045E77B9FC63.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer persistence rat

DCRat payload

DcRat

Modifies WinLogon for persistence

Dcrat family

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 04:21

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-21 04:21

Reported

2024-07-21 04:23

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\", \"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\", \"C:\\Windows\\ServiceProfiles\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\", \"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\", \"C:\\Windows\\ServiceProfiles\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\", \"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\", \"C:\\Windows\\ServiceProfiles\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\backgroundTaskHost.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\", \"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\", \"C:\\Windows\\ServiceProfiles\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\backgroundTaskHost.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\", \"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\", \"C:\\Windows\\ServiceProfiles\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\backgroundTaskHost.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\fontdrvhost.exe\", \"C:\\Windows\\Branding\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\", \"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\Branding\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\Branding\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\Branding\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\Branding\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\Branding\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\Branding\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\Branding\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\Branding\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\Branding\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\Branding\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\Branding\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\Branding\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\Branding\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\Branding\fontdrvhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\ServiceProfiles\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\ServiceProfiles\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Admin\\Saved Games\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\WindowsPowerShell\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Branding\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Defender\\es-ES\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\WindowsPowerShell\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Branding\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\RCXB534.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Program Files\Windows Defender\es-ES\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\RCXA9DE.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXB09C.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\fonts\RCXB2A2.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\RCXB4B6.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Program Files\WindowsPowerShell\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Program Files\WindowsPowerShell\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\RCXA9DF.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\fonts\RCXB2A1.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Program Files\Windows Defender\es-ES\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXB01E.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\RCXAE0A.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Windows\ServiceProfiles\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Windows\ServiceProfiles\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Windows\Branding\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Windows\Branding\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Windows\ServiceProfiles\RCXAE09.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Windows\Branding\RCXB738.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Windows\Branding\RCXB7B6.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Windows\Branding\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Windows\ServiceProfiles\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\Branding\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\Branding\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\Branding\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\Branding\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\Branding\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\Branding\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\Branding\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\Branding\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\Branding\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\Branding\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\Branding\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\Branding\fontdrvhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\Branding\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\Branding\fontdrvhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A
N/A N/A C:\Windows\Branding\fontdrvhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Branding\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Branding\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Branding\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Branding\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Branding\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Branding\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Branding\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Branding\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Branding\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Branding\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Branding\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Branding\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Branding\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Branding\fontdrvhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe C:\Windows\Branding\fontdrvhost.exe
PID 4552 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe C:\Windows\Branding\fontdrvhost.exe
PID 4380 wrote to memory of 2304 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4380 wrote to memory of 2304 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4380 wrote to memory of 1192 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4380 wrote to memory of 1192 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2304 wrote to memory of 420 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 2304 wrote to memory of 420 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 420 wrote to memory of 4472 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 420 wrote to memory of 4472 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 420 wrote to memory of 1352 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 420 wrote to memory of 1352 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4472 wrote to memory of 2248 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 4472 wrote to memory of 2248 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 2248 wrote to memory of 3092 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2248 wrote to memory of 3092 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2248 wrote to memory of 1648 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2248 wrote to memory of 1648 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3092 wrote to memory of 1532 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 3092 wrote to memory of 1532 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 1532 wrote to memory of 3480 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 1532 wrote to memory of 3480 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 1532 wrote to memory of 4064 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 1532 wrote to memory of 4064 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3480 wrote to memory of 4376 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 3480 wrote to memory of 4376 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 4376 wrote to memory of 4848 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4376 wrote to memory of 4848 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4376 wrote to memory of 3464 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4376 wrote to memory of 3464 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4848 wrote to memory of 2668 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 4848 wrote to memory of 2668 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 2668 wrote to memory of 3756 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2668 wrote to memory of 3756 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2668 wrote to memory of 452 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2668 wrote to memory of 452 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3756 wrote to memory of 2916 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 3756 wrote to memory of 2916 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 2916 wrote to memory of 4652 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2916 wrote to memory of 4652 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2916 wrote to memory of 4372 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2916 wrote to memory of 4372 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4652 wrote to memory of 2860 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 4652 wrote to memory of 2860 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 2860 wrote to memory of 2364 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2860 wrote to memory of 2364 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2860 wrote to memory of 1764 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2860 wrote to memory of 1764 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2364 wrote to memory of 3536 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 2364 wrote to memory of 3536 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 3536 wrote to memory of 3800 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3536 wrote to memory of 3800 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3536 wrote to memory of 2284 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3536 wrote to memory of 2284 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3800 wrote to memory of 3016 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 3800 wrote to memory of 3016 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 3016 wrote to memory of 3408 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3016 wrote to memory of 3408 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3016 wrote to memory of 636 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3016 wrote to memory of 636 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3408 wrote to memory of 5028 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 3408 wrote to memory of 5028 N/A C:\Windows\System32\WScript.exe C:\Windows\Branding\fontdrvhost.exe
PID 5028 wrote to memory of 1348 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 5028 wrote to memory of 1348 N/A C:\Windows\Branding\fontdrvhost.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe

"C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\es-ES\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\es-ES\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Saved Games\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Branding\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Branding\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\Branding\fontdrvhost.exe

"C:\Windows\Branding\fontdrvhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e767b887-1a93-4c47-850c-f291b0f52c9f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59cc329e-403b-4304-8f72-31f5ccd51e52.vbs"

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cecf907-1a44-4197-9bba-63e7ad0cb11f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fa17a65-3330-49b9-b443-3df160ef6f41.vbs"

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86582284-2896-4cb1-aaf3-4dcfb9a871dc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4626c041-5a06-4d9d-9c4d-70235ff32f62.vbs"

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7533e802-628a-4ebe-ac25-0716e5917a67.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65982534-c48f-4836-95bf-98ad54ca0ebf.vbs"

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bdf90df-fff6-46b3-a390-b224919c8ebc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e9aff1c-f25c-4d6a-b2d8-be27f575ac28.vbs"

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62dfae26-4595-47fe-80b9-32dc9b250927.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebf13c66-c5c4-4459-b3b1-06fb3ffeae12.vbs"

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0be2b0e-404a-4587-9f1e-1e3efbfa71dc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c011816d-2fbb-4c2e-8220-c188d4445494.vbs"

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dfddaaf-b1ae-4c46-94fb-8b5c5fa32e10.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a71668f-048e-49fc-a692-07544461ccdc.vbs"

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\210b55fa-f589-4bd4-acdd-90cc97d84fba.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c44465f-88e9-490b-b874-c60622539eec.vbs"

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\769e5175-a7cf-48f2-a5c9-c9f91820a8d0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67cf566d-115d-46b5-9a52-e6ae3d0b5435.vbs"

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73962c40-07d5-4df8-9a42-2c6621b110df.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb25182e-953b-40cc-9760-c117eecc90c1.vbs"

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b0a9d1b-5071-44bf-8c56-767a2d42ec62.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcb99c75-2483-4019-b61a-64c4fa23e38e.vbs"

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\483e4332-9f73-4040-abc5-f67f6eb59580.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccec9bc5-fec0-4329-ab62-b6beeadf1ebc.vbs"

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\Branding\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc65bc91-7c01-484a-bea1-3cfe987d5b46.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\636f09de-5fa0-424a-8e8d-bb7edb6dd783.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 a1005850.xsph.ru udp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 58.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/4552-0-0x00007FFD66510000-0x00007FFD66705000-memory.dmp

memory/4552-1-0x0000000000660000-0x00000000007BA000-memory.dmp

memory/4552-2-0x00007FFD66510000-0x00007FFD66705000-memory.dmp

memory/4552-3-0x00000000029E0000-0x00000000029FC000-memory.dmp

memory/4552-4-0x000000001B330000-0x000000001B380000-memory.dmp

memory/4552-5-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

memory/4552-6-0x000000001B2F0000-0x000000001B306000-memory.dmp

memory/4552-7-0x000000001B310000-0x000000001B318000-memory.dmp

memory/4552-9-0x000000001B390000-0x000000001B39E000-memory.dmp

memory/4552-8-0x000000001B380000-0x000000001B38A000-memory.dmp

memory/4552-10-0x000000001B320000-0x000000001B328000-memory.dmp

C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe

MD5 f946ceb3dfbc4802323f045e77b9fc63
SHA1 04beac37360d30c5ad933f82f80bfd41ae294cc4
SHA256 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a
SHA512 7ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3

C:\Program Files (x86)\Windows Sidebar\Gadgets\backgroundTaskHost.exe

MD5 612d4097b10a21c1defe0107b380a69a
SHA1 877837ec1f9e34af29afeb7e265b493f3fadc819
SHA256 2d1da6af4cb57038a190ee8a30ae5d39e016573215706b6702854ecd5a8f901b
SHA512 b86183fb995fa0b8d8940f5b9e7ceb927011290b75a96aaa9f897b5549702fa032615d4c5475372154858b6c14bc08ad12b4ee651e1679d75bfd2d508ddc4d10

C:\Program Files\WindowsPowerShell\fontdrvhost.exe

MD5 628b4844c74eb266079dcd04b2407ca0
SHA1 51d8901d17966bdc3e889f40fffe61fc5b0d327c
SHA256 5041b8b86e204e582563c60f9e7f0e2e457aaa54f017dc2a0856678b71451647
SHA512 7fd2b9f7965084aa190672b91295d8ddb7cdb5ff986b984a5c7557c1e27a776f984aa4542f2c775d4daee09c46b33c9a7480c1304d73bd29b062940b28a0b31d

C:\Windows\Branding\fontdrvhost.exe

MD5 16378a6c29c5dc8d4448512fc57b582d
SHA1 f08ce448dd867425d3b69d3c80e8e55f7c31e2e5
SHA256 c93dcde2380f34d416c52122ac692da95b46922dda54618708c742645e7d4c32
SHA512 38f07582c05570fe3322635c5bdb4301611e7fc9aee084cebedb2560ba2f87ad6c8778ebaf005ab1d7f2c2739a2871284f0957b9889f79597adddab16f4856c9

memory/4552-171-0x00007FFD66510000-0x00007FFD66705000-memory.dmp

memory/4380-172-0x0000000000110000-0x000000000026A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e767b887-1a93-4c47-850c-f291b0f52c9f.vbs

MD5 3e0675215d699080ee03ad19571934a8
SHA1 3194924a40f1d56bc8d593fde056b997553f0f2d
SHA256 1e0485dea0734ae6a24da8d47b364586b3cb95f66a1d54149f141760a8a3d13b
SHA512 d7d9d50e6106e82e8849bdaf5801e765824e0cedc2503fa2cf381a88075e8e3d74054786f43c94b4b6d3478dfbb53ff46616422268095ede980bbbb1b1441820

C:\Users\Admin\AppData\Local\Temp\59cc329e-403b-4304-8f72-31f5ccd51e52.vbs

MD5 664be8931be668aeec731bd1e801a6ca
SHA1 7fa78509096f1d810053b14e158eecb7a987764d
SHA256 a8e282f30482d4d24d7b4ddd8169d114a954d1c4dff8942e21a8537b67821f04
SHA512 27efe317fa9878e9a34a97fe31b87418bfd5fb4f7b327d40e6914b11e475562d54fb93ea3003d1bac70d1353e789566a340a75745baeb38da9bcc2190a173573

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

MD5 3690a1c3b695227a38625dcf27bd6dac
SHA1 c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA256 2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA512 15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

C:\Users\Admin\AppData\Local\Temp\3cecf907-1a44-4197-9bba-63e7ad0cb11f.vbs

MD5 c9d487687492e01010cd4de5007b0da9
SHA1 6c264bda92bf19d9b37bf9421d8d6ce67824f6b6
SHA256 3a7be2c0305bad826df73bab52b6a25a70a71630e1d16399dc2f99fc3c90853f
SHA512 1bc5b124691f8c8e7d8ea4f1a0276a32f290580b66cb125ae8a27dc471cbbe925e96da3e668a5b958316fa42d2c550a4fd3eff0abd8805453c91e3b6f243c859

C:\Users\Admin\AppData\Local\Temp\86582284-2896-4cb1-aaf3-4dcfb9a871dc.vbs

MD5 f70ea1c58b2899ba128f2b219b5bc562
SHA1 a2d76a8b1e791434eec31b7204979854e9e7fa3d
SHA256 eced9e6fd71eea7c24c4c0afdafbf3346a0f19dc12537735363fc0340f5be079
SHA512 a311d97d69d4cadaaa2ed56ffa8fbd288d3f0cd0fe3b71f9288d5fdffe8b3df2f844e2efdcb81abcdd4bdfc76a5b7ea2d811fbcdd5cd31bf0702690ddc0a45f0

C:\Users\Admin\AppData\Local\Temp\7533e802-628a-4ebe-ac25-0716e5917a67.vbs

MD5 5ffcfcda1d9fee6c2db52f9bfc3622b2
SHA1 f298ddbf03c7a7bb76897cf9665f442da2fec345
SHA256 066fc9e721659cf227b49517db5f9768f6831aa1a5a316bc42ae2e9cbc62e293
SHA512 9f93103bdc4e7e26d65df593fefe14d502b4dfe0fe89581eca917d82f35e53a1b52400a5386befb2265405b53c3f93d3b111fcd104dbee5138d7e40ea53320d3

C:\Users\Admin\AppData\Local\Temp\1bdf90df-fff6-46b3-a390-b224919c8ebc.vbs

MD5 13c6dc7796c9b43e3749bc3c76c2c015
SHA1 9c5560fc3a54bf008f984059d730e49cadd5bcf6
SHA256 ce0fda16cdc0ba1a003cff224848243ef13221241ad50d33c329868b2f81c7f7
SHA512 df73b8022711e8f06dfeb6be0d0efde9460782f202627be81e7f0a83f304c0011af191c0d8f9c45f478c933834589bc97a0268ca2d69422f54fa03987aad4061

C:\Users\Admin\AppData\Local\Temp\62dfae26-4595-47fe-80b9-32dc9b250927.vbs

MD5 daacc6175c7785836bf31ef76f7cf25c
SHA1 16f003b848975ad62dc385ab38fa36693ccec19a
SHA256 93676ba9a3d0935bea30768798b2df3515c55405e940b54d5aa1daa0e6f36897
SHA512 051405ec09e2e26b6edbb6647e4664a8eca1c0fac64b3eecca99cf9f3245ab86be1e95b9510e79a2231113e02469cf25f65a85e0d48b6e459b5f763eadc5244f

C:\Users\Admin\AppData\Local\Temp\e0be2b0e-404a-4587-9f1e-1e3efbfa71dc.vbs

MD5 96747b4ec5efe1fd62f79647b2968026
SHA1 93686bc5a3603ff33ec54d01ae9ee9ae3a214cac
SHA256 a718b8fcf373d98eb45ef9491cce76eaf53cf405376edfb580f742eaac244a62
SHA512 1c05a1d0c990fef97bef8e9db3fc7cb36ddcb1a316919441b84e821e121f3ea0539d7fa9133c556780d87836f2c38cb1df0969e5c61c052a499d74eed00bf20f

C:\Users\Admin\AppData\Local\Temp\9dfddaaf-b1ae-4c46-94fb-8b5c5fa32e10.vbs

MD5 a19a178057b8caaf9bc3ebfcf63df078
SHA1 2c83407099723bc97c862240d9f24557962ba001
SHA256 46d1b18e6e574de81b4fc6003de9521602b96fcb014f65403ffb9fe73a4edc47
SHA512 1acb227f7a762526d59527a39192fde02ce20ccf18aecfc3de9159475f8e91b5dcbb3212f586a8fb58bf2f403a79a3e2ac096e03a0d58c228418c0abc27b7b85

memory/2860-261-0x000000001BB00000-0x000000001BC02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\210b55fa-f589-4bd4-acdd-90cc97d84fba.vbs

MD5 41e3d80f412ac5b87c62cb0516246929
SHA1 e16b3b71887a1f15d46fc2c2e023029b5ef0b239
SHA256 11e97c602a2067ae1f5700daa443d3bbf0ba223b72eed22b1b1ecef9a79f0338
SHA512 128edea71e8e3eef287401f8cc5ee698b45365c3636a82fdece833f888ff8b4296ae12edd8de91bc1d9e1daa350fe42e146c0ad1b0fe507cad2e1b0ca2722c31

memory/3536-273-0x000000001BA20000-0x000000001BB22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\769e5175-a7cf-48f2-a5c9-c9f91820a8d0.vbs

MD5 1d82527cd1e7f38f59dfae41ebd01e19
SHA1 c93f8c576e0a1a17d5036a3b10eb2e63bfac62fb
SHA256 4cf4a4e6071a2e16d07d2ca30b8b5b2afeb21af53ab21388c18819b61154e903
SHA512 18f534d7bea2e9e981bd61fecb239b7c466f01c602d0d94a79beca216ce98683087cee1e2d1a40320a2356c4a5af6f2611124cc9ea8b24b83c907646d2dc906c

memory/3016-285-0x000000001BDE0000-0x000000001BEE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\73962c40-07d5-4df8-9a42-2c6621b110df.vbs

MD5 677c38956e1906d2628cb79d1bb2c480
SHA1 90c4c472e7c8efb617ddb53468a28cf448e99b11
SHA256 01409e2954ff011d05a224b719d6c015538e9f433388a69707cbd045c03d65d3
SHA512 80bdd471d0a70fdf3080597552326f8c7dcd35efb4b4be6a38b2cda2904e601cfa8f997495f93af51ed41b8a56a48f630f0829e4d12615adfafdfd7a75afde22

memory/5028-297-0x000000001B760000-0x000000001B862000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0b0a9d1b-5071-44bf-8c56-767a2d42ec62.vbs

MD5 22df33af409b795240048a3e9846fec5
SHA1 72e837b92b8e08d5904420ad786f8f047ce5f334
SHA256 4b0cc27eed9c8e3f944902879e0518ad5a729a1ddc6b1e077c9b340f20fdb089
SHA512 b84116db67966f238357ad73d8d4b3747a70eaf77691dfe0ecb57147d978b2909202dbce5f913673483dbe218e55e39db33a05eb56704db30a46167d5e79b558

C:\Users\Admin\AppData\Local\Temp\483e4332-9f73-4040-abc5-f67f6eb59580.vbs

MD5 39b396fada774529d2bc7e659673c64c
SHA1 de13063ff076eeaaa9d62eeaa0c4ec8275ffeabf
SHA256 71ad49b0e1fdbdb6a42d5f8e9398644ab1d53f2d1528ae6baabbbb68bb7416f5
SHA512 3bc8560fbe83d395c732aecc3218a17e0d42b2b97341b8f2ae97851a91fd5618af3bcea874e36f07012c18b3ef234ad8cd71c33bbdf60a2fc0ccc2c65ef25f03

memory/4272-320-0x000000001C560000-0x000000001C662000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dc65bc91-7c01-484a-bea1-3cfe987d5b46.vbs

MD5 e550af94ab705aa02d33d20fe2a907c9
SHA1 3679ce3d615826f76e94adb6e45078193ea66496
SHA256 2ce8dc37d23d71ca35762c2d63ffe33cfd0c7f88df0663ccf1d7bc62d9fad7bb
SHA512 315502f68cbad27eb0e6d4d9bbdd0224492ac3bdbde19428b3bc5dd305619ee7239c9f44c4c2f6e3f288294eb37a05772797e310cb1dc20f425bf3fd2d4a2c5d

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 04:21

Reported

2024-07-21 04:23

Platform

win7-20240705-en

Max time kernel

146s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\F946CEB3DFBC4802323F045E77B9FC63.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\F946CEB3DFBC4802323F045E77B9FC63.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\F946CEB3DFBC4802323F045E77B9FC63.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\", \"C:\\Users\\Default User\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\F946CEB3DFBC4802323F045E77B9FC63 = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\F946CEB3DFBC4802323F045E77B9FC63.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\F946CEB3DFBC4802323F045E77B9FC63 = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\F946CEB3DFBC4802323F045E77B9FC63.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX9848.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\RCX9643.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\RCX9644.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCX8AD4.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCX8AD5.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX9849.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Branding\ShellBrd\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Windows\Branding\ShellBrd\RCX8F4B.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Windows\Branding\ShellBrd\RCX8F4C.tmp C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File opened for modification C:\Windows\Branding\ShellBrd\csrss.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
File created C:\Windows\Branding\ShellBrd\csrss.exe C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 884 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 884 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 884 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 1752 wrote to memory of 2988 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 1752 wrote to memory of 2988 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 1752 wrote to memory of 2988 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 1752 wrote to memory of 2724 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 1752 wrote to memory of 2724 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 1752 wrote to memory of 2724 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2988 wrote to memory of 2640 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2988 wrote to memory of 2640 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2988 wrote to memory of 2640 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2640 wrote to memory of 2716 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2640 wrote to memory of 2716 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2640 wrote to memory of 2716 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2640 wrote to memory of 2308 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2640 wrote to memory of 2308 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2640 wrote to memory of 2308 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2716 wrote to memory of 3028 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2716 wrote to memory of 3028 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2716 wrote to memory of 3028 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 3028 wrote to memory of 2240 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 3028 wrote to memory of 2240 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 3028 wrote to memory of 2240 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 3028 wrote to memory of 2300 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 3028 wrote to memory of 2300 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 3028 wrote to memory of 2300 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2240 wrote to memory of 2556 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2240 wrote to memory of 2556 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2240 wrote to memory of 2556 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2556 wrote to memory of 2380 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2556 wrote to memory of 2380 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2556 wrote to memory of 2380 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2556 wrote to memory of 1528 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2556 wrote to memory of 1528 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2556 wrote to memory of 1528 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2380 wrote to memory of 1056 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2380 wrote to memory of 1056 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2380 wrote to memory of 1056 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 1056 wrote to memory of 2488 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 1056 wrote to memory of 2488 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 1056 wrote to memory of 2488 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 1056 wrote to memory of 1516 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 1056 wrote to memory of 1516 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 1056 wrote to memory of 1516 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2172 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2488 wrote to memory of 2172 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2488 wrote to memory of 2172 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2172 wrote to memory of 2996 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2172 wrote to memory of 2996 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2172 wrote to memory of 2996 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2172 wrote to memory of 1968 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2172 wrote to memory of 1968 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2172 wrote to memory of 1968 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2996 wrote to memory of 2352 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2996 wrote to memory of 2352 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2996 wrote to memory of 2352 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
PID 2352 wrote to memory of 2316 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 2316 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 2316 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 2076 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 2076 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 2076 N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe C:\Windows\System32\WScript.exe
PID 2316 wrote to memory of 1552 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe

"C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "F946CEB3DFBC4802323F045E77B9FC63F" /sc MINUTE /mo 12 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\F946CEB3DFBC4802323F045E77B9FC63.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "F946CEB3DFBC4802323F045E77B9FC63" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\F946CEB3DFBC4802323F045E77B9FC63.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "F946CEB3DFBC4802323F045E77B9FC63F" /sc MINUTE /mo 10 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\F946CEB3DFBC4802323F045E77B9FC63.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c992be04-a7ce-4e75-aa3e-cc8a031cd069.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4720d6e-a386-4669-aa34-12891b5e9cb6.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\554a812c-6e64-4976-917b-b8c217eef133.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d7ba31a-a58b-4465-9145-6a8f84fbacba.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02b2c8dd-a004-4603-aae9-80f7cfaf0392.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd2db0de-0ca3-464d-9c91-ecf7699dd997.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7cba06e-41cb-4db8-bd47-19334d3baca4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f39ea6c1-342a-4663-9d88-171aa9b5d1a7.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2065a06-8de0-4c35-ba5e-115d6eba6aa5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf82d430-7ab2-4ae4-97d0-8f3645633a4f.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a3c1dbd-3802-4b93-97d8-13aecdd021d0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46f9be5c-d198-4e86-a936-ed56cd874a47.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4288ef1-593e-4530-874f-a7d329b8d268.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\370c6f9d-4807-41f6-8dfd-e3673cf6179e.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db346c40-d642-45cf-9849-6518e8cf2d1c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85bdd41b-1b41-4b50-9844-8e3048458ffd.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c7e21e4-935b-4538-b9de-dfb21e87e37e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cd8beea-55b8-4c0e-b305-4fa2a37e99b4.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da7b8004-084d-4484-91d8-006a680f7608.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\487c5c4b-c9b4-428f-9414-65e1a9d3824a.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25e4086b-0909-44d8-9b28-9637afc4b55c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\401b26d2-a76d-4803-b5c0-74def1be72dc.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04563bed-1553-414e-ae78-d3a15bcae18a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3febb715-348b-4270-8162-8dd91bebd902.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\701ffe59-342a-4b24-9915-1193aba6b6cb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85d00136-e2a1-4724-9072-777c88869235.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0c03932-f6df-44ec-816b-da7d74c9a7b9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\060e3119-32c4-45e5-a453-18e83237504a.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 a1005850.xsph.ru udp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp

Files

memory/884-0-0x000007FEF5743000-0x000007FEF5744000-memory.dmp

memory/884-1-0x0000000000AB0000-0x0000000000C0A000-memory.dmp

memory/884-2-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

memory/884-3-0x0000000000140000-0x000000000015C000-memory.dmp

memory/884-4-0x0000000000260000-0x0000000000270000-memory.dmp

memory/884-5-0x0000000000270000-0x0000000000286000-memory.dmp

memory/884-6-0x0000000000310000-0x0000000000318000-memory.dmp

memory/884-7-0x0000000000330000-0x000000000033A000-memory.dmp

memory/884-8-0x00000000005D0000-0x00000000005DE000-memory.dmp

memory/884-9-0x0000000000320000-0x0000000000328000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

MD5 f946ceb3dfbc4802323f045e77b9fc63
SHA1 04beac37360d30c5ad933f82f80bfd41ae294cc4
SHA256 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a
SHA512 7ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3

C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\services.exe

MD5 33908b9c8646f108b874ee2120df8794
SHA1 b6e2b18df8c32135700418be1a39163d38b1a59f
SHA256 c58850c918f008acf1338ad19e465a7a5a914b6e8b7b0678265d4e0bdde269e4
SHA512 fe2d4f7423c7cbcbb2fb9dd5a4363247d46bd33501424e78f6a7779cefa7848d8b81b181089174e5f8d9413d349e729aaca6086e57a97c1af85abceb7e27a8e8

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

MD5 d20b47cd8c8fb7139bc0df797bc0f4a5
SHA1 df0fb41b0c82fb1350b844c2e7f76ba005780c3e
SHA256 655d70548ffe3d4d304c22d9d749d9f33dcf0bfee98be38bdc44dfacab484789
SHA512 47700b4bc9aa0cd41ddf67bc43fe160dcf3df713a0cec0958d0535e5fbd63beddf6cb146dfd3e026a8b7d8612936fe518f602c70a3cb87abdb30345ac79c946a

C:\Users\Default\winlogon.exe

MD5 9d85ea32d592002b1bf3a6c84c63132e
SHA1 0bf3d081e789ef9b0def8584548600a39210632d
SHA256 8bdd1737e6baa661940c3db3c40a0039b7f12950acd07124f76c6698dc2b11b2
SHA512 e5e9df1a84dd8fabce056a394c45beda5c2f219d2399ca3ea025403b78f7c59dc9626e7630cb9b8c865a87981a490a8d27fcd46c03a51d0c30296e719734e98a

memory/884-157-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

memory/1752-156-0x00000000010B0000-0x000000000120A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c992be04-a7ce-4e75-aa3e-cc8a031cd069.vbs

MD5 07b08814d9ab26b307a3a35a6340aac9
SHA1 676d3e39ba17dd133e82a18863acad09768cd4fc
SHA256 da7dd779eb062f0c2af8478628f4621510b503a1e819230266ee6e7f0a719fd6
SHA512 0727c8cc15cd69626fc7d7f47056466bfcf5b12d65f06db58539c8995400f44264e33b17e0e5c6b222a4535fce4c6b224c303754ca72c3934129b9bcc5a49ca8

C:\Users\Admin\AppData\Local\Temp\c4720d6e-a386-4669-aa34-12891b5e9cb6.vbs

MD5 fd345ab88a3a24ceb40d4e572563071c
SHA1 9f09a0fc06ab1c9d7858c721ccda6aeee52b141f
SHA256 658d5a9f24811e2c1671214b25c0641e5b88f4f15d0c1fa4ad965df2a0a30092
SHA512 2265842ec4cc595fcb857fdb568fe8c9643cc22d04cf88e30eaf7e1a8c9e08fa1fb3c1840291f288bf0fa8fdf22ba58105721693e9ff8e4f435940b51db248fe

memory/2640-168-0x0000000000100000-0x000000000025A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\554a812c-6e64-4976-917b-b8c217eef133.vbs

MD5 b4b9793e171d73f4f53bf62446019dc0
SHA1 572bd8d223028dd90d3723a52f9384631a68bd51
SHA256 008b29395e00983e73c7081983a32206deb22b82c186d560d708787d126d2aff
SHA512 3fd83db78d20023ede1e0309b4e56b7306343bfb5316478407fd3067740ef91e68dfae7b11beb3a0d4c9f3e462613faa00c52c7a6a11991517de290196a9dbad

memory/3028-180-0x0000000000110000-0x000000000026A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\02b2c8dd-a004-4603-aae9-80f7cfaf0392.vbs

MD5 620ab848e9f58536086699e18fa21b1c
SHA1 4115f07d04a9a41cc7b0fe5cfd2ce6fde08acf93
SHA256 16636201dabcb39d0e9bc447010d4a3b71456c5288dbe1ad188e20b239fd83e3
SHA512 bdca00a4a31f71a23496a6c63a7c8220ceb5b4d432fca925a159db87db8ed47af7ee9e504cbe132282e7223fd431c6118bb4fd260195845bb00cb5f4e5d024f6

memory/2556-192-0x0000000001380000-0x00000000014DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d7cba06e-41cb-4db8-bd47-19334d3baca4.vbs

MD5 ca17a62ca57f5e5da5a82e9fc501d06c
SHA1 b745830bb0d7305923991c89b324803d478e3141
SHA256 f8fc4d22013fefa0fe812a8f5549351d4afd907c6bfc408ce6995376379777c9
SHA512 f8167f1966b698cf9ef386c6efc22bc85b9e06e0c982460709bddc4874d10065b9f0d71b911e491623e88e48102e8fb1c0984711f984e7e6268d05622e400702

C:\Users\Admin\AppData\Local\Temp\b2065a06-8de0-4c35-ba5e-115d6eba6aa5.vbs

MD5 378b50a5a9479e5b7f105e4618bc9db1
SHA1 8a0b3432a558587b35497cc231b56bcea5291682
SHA256 f4534ea6f308b4238266c4c811ee794316a5ac7c270623cc926257ea5b49e4ba
SHA512 bbf3bce80155d902c73b263955efd2a4944e046a863257924e9f13416782d0401a2b57ff42f6b976fe48c0306808706f43f12b5153c35c891a20ca65386742cc

C:\Users\Admin\AppData\Local\Temp\3a3c1dbd-3802-4b93-97d8-13aecdd021d0.vbs

MD5 01bfeef315acd31cacd6407b5221582e
SHA1 b0411d47839dd3daca1106220f25843b217fcd03
SHA256 d90ea2b8dad11187a7ad502e83416fef409bbf070497da4709751b0b9d35d6d0
SHA512 6604350155f82e87b0b4f7a3ed3cf6a454166ab84d530dd4419f8a0b11fe78c74020c933f6f2fa8fd833c4cdc1ebb0e850319c7926bca6783a11c14448a18c04

memory/2352-226-0x00000000002A0000-0x00000000003FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e4288ef1-593e-4530-874f-a7d329b8d268.vbs

MD5 db00feccbeec544cfe8003790ad8bbad
SHA1 24b0e0e306efda4df0303b42e19316ee36096c4f
SHA256 548046919c71044c7d782c2aa31a08f40a3d50b75747b8207b4517d7b1142339
SHA512 7fc0f3d518adbd876a0f9da14982ff1be7b602d2dec95ef4c593a16f0851de2ecc731c127579e51f39b4479ff1cbba47cd5db909438327cff39dd518bac326b8

memory/1552-238-0x0000000000060000-0x00000000001BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db346c40-d642-45cf-9849-6518e8cf2d1c.vbs

MD5 c3aa4be60fc2518b170904ce4421fcd5
SHA1 5f7e428be348d501d00b975347a4f39cf0e6e81d
SHA256 e0bc8cafd2bfdd67d016253f556b631c33ccf51b99001e5d582b0f4ddc1fb868
SHA512 75e1a65723f96360e85761e612dd85b822fbff8cd20044b2c5103302b85b4a6569330a271992836f7a892b54c4772f3e6037b154eb9f3a824d57477996dbf1d2

memory/1028-250-0x0000000000D10000-0x0000000000E6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7c7e21e4-935b-4538-b9de-dfb21e87e37e.vbs

MD5 4efa9f3e47e11638ff92fae33b96f9f9
SHA1 1d5aa9ddfc544de20043585d6e59afb3fb816874
SHA256 18dc5b6055eb49d4b911fcdefa61f780cff60f781f88fe671286909f31a2db80
SHA512 0fda27eb05a9b375070d98ade87000706e53e9c8843b8cfd0c276834d3f3f0d22bf9cd2c3681b7c7ae024437398dc99b4c2ed8f92f718fbafcb69a6297031223

memory/2880-262-0x00000000011F0000-0x000000000134A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\da7b8004-084d-4484-91d8-006a680f7608.vbs

MD5 996ed5069a54aebd9793e793476be7bc
SHA1 868b1aa1c437c4d7d3aeffb0461d4401396516f6
SHA256 a805d71571ce6746505bf5e626fff76c89af8296bfa05be6b6ce08a384df434e
SHA512 4ebcca56c3f4fa32c8786080340aa2cd3e8b8effb419a0f9e929517a34b2b8dbc91fd5543f4670d5437f54e94500e9a03d7a4e3eac8c6aa79ef106286050ec64

memory/2680-274-0x00000000000A0000-0x00000000001FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\25e4086b-0909-44d8-9b28-9637afc4b55c.vbs

MD5 35d47c774109985e617af58e5a998a9a
SHA1 de2ecac583dd48539260efd2cae7429f10181674
SHA256 4c189b40fb52e13c569128a01c7e70bc5b762ecaaab4b733c13201249cbb7e69
SHA512 b2a9cdb9fc6bbf6df7bdfb3faeb16af4fab8e490c2fb5d86ff7ea59cf000b9733bc9f57be033edef0167ff08b3a07a0a5b1aa7e000cedaad3949ea16c21eac4f

memory/3000-286-0x0000000000300000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\04563bed-1553-414e-ae78-d3a15bcae18a.vbs

MD5 b6b3d77090ed5220e1158edb2810f4c0
SHA1 7161a9aaad13dda5adf982708dae8ef5316a2017
SHA256 e08a43ac3512d7e821a418379f9877961328444c865edb4153810d0df3fd9e21
SHA512 b22b0ed29507685cb45d8ef8406bd6cd57a5e1904c43175e2ac9bca706d3f8133e052dca23073b873d7415bee4322da5364d060962c9d6c13391d8f361b420a6

memory/1884-298-0x0000000000E00000-0x0000000000F5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\701ffe59-342a-4b24-9915-1193aba6b6cb.vbs

MD5 de664c5440f3ff742145f65e7ad2203a
SHA1 bbb90f9f6a3ca7067154a327fd07169de2f953cc
SHA256 84c73cf298d6c4b94d43e194f214f2002695c958fed08248b00a47a608aa3b72
SHA512 ffa6f11266bf8b195cf5d06f09a66acce11af4863c9022fbb0ebc63ece9416d78497d5ce37bbc8d563734775fe9489c39c0e2810440391ba96fac0bdd2533405

memory/3040-310-0x0000000001130000-0x000000000128A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0c03932-f6df-44ec-816b-da7d74c9a7b9.vbs

MD5 e52c83bd74eb5bc872a04326f6d76f15
SHA1 a641181fa7038021da59198a12f4c63bb3d9e34e
SHA256 9919b82f4339215a18802f725eb51e794260296137e92a4f7089778d62629ebf
SHA512 a6141f11b6aa1f3a5e896e52893949aa3921a88926db334eb0246ae37b1d7b22730c6bba9278ec55111b4e9b10393b1e31c83c038b799e0d343607503daf0079