Malware Analysis Report

2024-11-15 05:53

Sample ID 240722-xbvc6s1gja
Target RustUpdater.exe
SHA256 528a09f9d227d34e3ca3ada3286fbf3a651fd651d1028c981f5754f3dfa15d78
Tags
rat dcrat execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

528a09f9d227d34e3ca3ada3286fbf3a651fd651d1028c981f5754f3dfa15d78

Threat Level: Known bad

The file RustUpdater.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat execution infostealer

Dcrat family

DcRat

DCRat payload

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 18:41

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 18:41

Reported

2024-07-22 18:44

Platform

win7-20240704-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\886983d96e3d3e C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File created C:\Program Files\Windows Journal\de-DE\audiodg.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File created C:\Program Files\Windows Journal\de-DE\42af1c969fbb7b C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File created C:\Program Files\Windows NT\TableTextService\Idle.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File created C:\Program Files\Windows NT\TableTextService\6ccacd8608530f C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File created C:\Program Files\VideoLAN\csrss.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
N/A N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe C:\Windows\SysWOW64\WScript.exe
PID 2120 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe C:\Windows\SysWOW64\WScript.exe
PID 2120 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe C:\Windows\SysWOW64\WScript.exe
PID 2120 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe C:\Windows\SysWOW64\WScript.exe
PID 2200 wrote to memory of 2684 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2684 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2684 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2684 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe
PID 2684 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe
PID 2684 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe
PID 2684 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe
PID 2224 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
PID 2224 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
PID 2224 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
PID 1728 wrote to memory of 1128 N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 1128 N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 1128 N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 1020 N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 1020 N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 1020 N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 1128 wrote to memory of 3012 N/A C:\Windows\System32\WScript.exe C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
PID 1128 wrote to memory of 3012 N/A C:\Windows\System32\WScript.exe C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
PID 1128 wrote to memory of 3012 N/A C:\Windows\System32\WScript.exe C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
PID 2784 wrote to memory of 2236 N/A C:\Windows\System32\WScript.exe C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
PID 2784 wrote to memory of 2236 N/A C:\Windows\System32\WScript.exe C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
PID 2784 wrote to memory of 2236 N/A C:\Windows\System32\WScript.exe C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe
PID 2236 wrote to memory of 2380 N/A C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe

"C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\agentruntimeperf\vgGiWu1V4QvpHl7.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\agentruntimeperf\Dq65rEdkW9pnD0L6fJOs9W.bat" "

C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe

"C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 9 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\componentdriver.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "componentdriver" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\componentdriver.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 11 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\componentdriver.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\de-DE\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\de-DE\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f56115f-ce3a-49cf-96d4-9426d4747b4d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bce03413-b6dd-4ae3-9a6c-69b16ec75c78.vbs"

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2272794-943d-4c7a-83dc-6444fe2ad2c5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54a7ae00-5997-4939-8367-a728442dbde3.vbs"

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f8fd66b-2d9d-4903-a017-ad07949edca8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fb04e69-6569-494c-84fb-04c8ec21d6f2.vbs"

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91dab18d-5f61-4f74-b29d-ec1aaaba0669.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ec9501b-fa7e-4b95-8345-f47d1b7926fe.vbs"

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c12ceac-15b7-486c-8413-b4c83a9f62d3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a09c97be-d4e8-4e99-8092-826d407dbeaa.vbs"

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d44d7382-56d4-417b-bdb7-bc6953367a24.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a1f0fe6-9609-4a0a-abde-ccf405df4d4d.vbs"

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b3d5d39-1590-4997-b779-71857d6230ec.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be350d3f-f96c-409a-ab9f-c44436e1ec9d.vbs"

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c0719aa-1de7-45f8-9711-78d60cff2e8d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1146f048-5f6f-49e0-a8db-71131ae7e874.vbs"

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\674d2b82-bb28-48a1-9828-ad3ef457ba31.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbf51341-2ddc-48f5-88cf-940b30e4dbc2.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 tcp

Files

memory/2120-0-0x0000000000390000-0x0000000000776000-memory.dmp

memory/2120-8-0x0000000000390000-0x0000000000776000-memory.dmp

C:\Users\Admin\AppData\Roaming\agentruntimeperf\vgGiWu1V4QvpHl7.vbe

MD5 4dad95df8fa0e085b45537e5be8778f6
SHA1 044c0c326db9f180d8c79f7fd7719fac3abc69d3
SHA256 b4c3908e82e611ee34d5b27906b7ea428f31cf3c6e37d19e49032ac5af938f0b
SHA512 4a089ec1b661a1b996781fcd813971b9ba43a4a0c4ba356dc0d78072bb03e62ceb8bda1f21f579c1a82662eeece15f2515a73b11863eeed5c11b5176e920d376

C:\Users\Admin\AppData\Roaming\agentruntimeperf\Dq65rEdkW9pnD0L6fJOs9W.bat

MD5 8f2fe00117d8cf1e8f32eb7bf7c5ab82
SHA1 952f7ed0a7bcc5ccc8a3dda8d32d12d3777f6be9
SHA256 02e8d359193b0ae24c55786b196b81fa9ca8851c0b36944547ab1c766ecf53ba
SHA512 6fd6a26b107c1542e84649a016ad6e523ed43f9b63b33b6efe96e89a73c0fdadcba4aa9786a399e8df4d2e7d8af79dbabfd4534648e76aae948b082e97a1e077

C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe

MD5 50c3534dacb3359079f8fca6b702e98e
SHA1 85cd176c6f7c97017547aaf9b1133ca3d1fb1885
SHA256 867cfd96b563631e0e2a1d89d784b47bf723194595b6dd301225fe608f6186de
SHA512 a3cb0ff747332f0d91a2126f63cf12ea44e00de2221ec83fcbec86dfff90384c62299a77e97916572ad723132123168505e005884c6c8329713eb3db9cbf2750

memory/2224-15-0x0000000000950000-0x0000000000A5A000-memory.dmp

memory/2224-16-0x00000000005C0000-0x00000000005C8000-memory.dmp

memory/2224-17-0x00000000005D0000-0x00000000005DC000-memory.dmp

memory/2224-18-0x00000000005E0000-0x00000000005EC000-memory.dmp

memory/2224-19-0x00000000005F0000-0x00000000005FA000-memory.dmp

memory/2224-20-0x0000000000680000-0x0000000000688000-memory.dmp

memory/2224-21-0x0000000000690000-0x000000000069C000-memory.dmp

memory/1728-44-0x0000000000FE0000-0x00000000010EA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 793dfb09b26e41d5bee79e137e250e17
SHA1 f4bda56f65601e2ecdfc3af1df6ce0c8da25c9e2
SHA256 c65d94b081f07e67af3780f2b0d77f9de809d65f084826238444069c13c804a4
SHA512 8a182a8dfa794f4da6cec4758254f8b16ff6902461f40005a6d3813eb370aab0ca16240b7b3c24f3fa7b9ce17c7943adbd7750b34acd9b2db0bcaed929f7c949

memory/2288-71-0x0000000002300000-0x0000000002308000-memory.dmp

memory/1764-70-0x000000001B280000-0x000000001B562000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3f56115f-ce3a-49cf-96d4-9426d4747b4d.vbs

MD5 fc61d564f4b377c91e97f1bc6b53aaf5
SHA1 dc02b1691cebf73b55e284bf9691a7b877598c43
SHA256 74128f19c5d027ca0c29601345bc605c59373128e54fa7f00a022382a4a49b17
SHA512 f8f96600c9f4dd90ecbdc29cd7d3095ce2a34df40517cef9bf846cad1a19d8f61fe9cd36e56d5f0885e3381f01fc74fe626d63232e3b0b4b978e765ad35d49ae

C:\Users\Admin\AppData\Local\Temp\bce03413-b6dd-4ae3-9a6c-69b16ec75c78.vbs

MD5 005d2b2b236c5cc4c1cbe808da565f60
SHA1 b0d99c72d1d7c6385d9670abc005f9c84e4485d3
SHA256 13c0ec6dd8ab27216a078bcf2c8c618315e52058ab55fe4783e367602a7fa8b7
SHA512 46cdf35f8d8d05b4ecabf0de5a55446047269648b6fbc16b8ea46a1ccc07ba1df88ff2f512342668eb47564570f70de7c13b6d90b6e0feeb6a8b3f0b9f9e3225

memory/2236-108-0x00000000010D0000-0x00000000011DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8f8fd66b-2d9d-4903-a017-ad07949edca8.vbs

MD5 c0c93a87229dc495b8934d866b9eda58
SHA1 4c02bcfe02973b876e80fe28728be0885babcd61
SHA256 4fa9d4fbefcbacc9022861a0a6ec669ec1a43a7184cc358692fb49c1575ff7ed
SHA512 706d6a6c621cee732becf76e15afd3081ab8d09bebdf6429e24296241fd840267da9c4efef7c40b007c270de914d8ffe435d13084aa2e91ac4f59e8d0cf54054

memory/1448-120-0x0000000000160000-0x000000000026A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91dab18d-5f61-4f74-b29d-ec1aaaba0669.vbs

MD5 c9feda25bc37c97ad5fa8ed0950354ad
SHA1 80be72d6ece74c4098b2d182d0da24a83b81eef7
SHA256 e80115a4dbeccc533a20e1acd0cc8358cacce35308c458f813ed86a1d8464b02
SHA512 96c4c0c4897ef6a104e8af325281b658fd6f1388dd35a5fdecef9319964d727582153199e459f736392664cdee8378f22a9e8e937ee7d2b7adc3f062bed60489

memory/2576-132-0x0000000001080000-0x000000000118A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2c12ceac-15b7-486c-8413-b4c83a9f62d3.vbs

MD5 de691c8b44752ce738aeeedebbaa260e
SHA1 9579da9ae1814d64f9043fd8fcd51321615372fd
SHA256 883a7214ef6bcc1627cc88a01d606d6695c1e0af957c4d85fa341ffdc7bc2957
SHA512 2201abd28c099780067a622ddd3f7c794a898f0a163730a5cdd41e571f6688bfd4af67ce725538a431589141e9235efd263e30cf5ed0689f4f92a60aca25704d

C:\Users\Admin\AppData\Local\Temp\d44d7382-56d4-417b-bdb7-bc6953367a24.vbs

MD5 7e9c6a7326f699fd671e274d56209b8d
SHA1 5071f0c88ec24fd80871b8e26d2295bffc3f10c7
SHA256 0fa5981bf91e15eca9dfa8346ef3a80751c09f309dadf691cb63ce9484eef681
SHA512 7a8eb5bb282afdaf19c9c2574eb135de123ec8e33d4d2f53016c75b3e24a2ce57cfb76d453f056c3427d97ff8c365b91e4244d0a89c3ca86dcef0439eb59a04d

memory/2972-155-0x00000000013B0000-0x00000000014BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8b3d5d39-1590-4997-b779-71857d6230ec.vbs

MD5 e6dcc86cc0253ef69ffed2ef374c2e7c
SHA1 579905f2271139d74a7fb78a6a7dbdbb78842f35
SHA256 903aabab0a6c3f8bfd274e55ddbf61b8006685f454faaefc17377c603331d7df
SHA512 7dc607088fb7d051848618527df2335667da5586def92d3175097305fc0b519be658999adf7896e86b0877fb452598e11e6a292d4c924a9793f115f9067245d4

C:\Users\Admin\AppData\Local\Temp\2c0719aa-1de7-45f8-9711-78d60cff2e8d.vbs

MD5 47cf841788510b1f8ed743b5f8e5ab48
SHA1 6b8533afb27d9540e4cd6d101f2246a453c07dad
SHA256 97e3b0c2033a03ca223cd798cc5b71ba4e878de737ad4f8d29e1f98c0858cf4d
SHA512 0db850e3c6736dea0c6fd315928b8705e1a85030e1c95cd6afff6a710d582da5b3bdddfed4775f9715d3219d2c0ad282a36d9aac972b75c589ac33b927a8d266

C:\Users\Admin\AppData\Local\Temp\674d2b82-bb28-48a1-9828-ad3ef457ba31.vbs

MD5 c96473a2ea30cba35f095c63fc1d1334
SHA1 590a00c9d74f8a1303cb9273f613a1a11385acc0
SHA256 1e5ae4e3c23396abf96766f577442237f599fb77618a7870b2e978809eda2e71
SHA512 34d667fa3fa13bfc0fe335d9b35b4efc6b90ab73761d48acc42880f07e7013a126d2627af93147302079ad5d517abdc2386ca61340cd0f4ec1e1eb8f562f9c32

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 18:41

Reported

2024-07-22 18:44

Platform

win10v2004-20240709-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\unsecapp.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinMetadata\conhost.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\5b884080fd4f94 C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\886983d96e3d3e C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File created C:\Program Files\Windows Mail\backgroundTaskHost.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File created C:\Program Files\Windows Mail\eddb19405b7ce1 C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Speech_OneCore\spoolsv.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File created C:\Windows\Speech_OneCore\f3b6ecef712a24 C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File created C:\Windows\IME\IMEJP\help\dwm.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
File created C:\Windows\IME\IMEJP\help\6cb0b6c459d5d3 C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Recovery\WindowsRE\unsecapp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1440 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe C:\Windows\SysWOW64\WScript.exe
PID 1440 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe C:\Windows\SysWOW64\WScript.exe
PID 1440 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe C:\Windows\SysWOW64\WScript.exe
PID 5000 wrote to memory of 212 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 212 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 212 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe
PID 212 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe
PID 4864 wrote to memory of 332 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 332 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 532 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 532 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4864 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 4864 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 1096 wrote to memory of 452 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 1096 wrote to memory of 452 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 1096 wrote to memory of 1640 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 1096 wrote to memory of 1640 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 452 wrote to memory of 5472 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 452 wrote to memory of 5472 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 5472 wrote to memory of 5580 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 5472 wrote to memory of 5580 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 5472 wrote to memory of 5624 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 5472 wrote to memory of 5624 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 5580 wrote to memory of 5736 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 5580 wrote to memory of 5736 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 5736 wrote to memory of 5840 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 5736 wrote to memory of 5840 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 5736 wrote to memory of 5888 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 5736 wrote to memory of 5888 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 5840 wrote to memory of 5976 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 5840 wrote to memory of 5976 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 5976 wrote to memory of 6088 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 5976 wrote to memory of 6088 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 5976 wrote to memory of 6132 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 5976 wrote to memory of 6132 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 6088 wrote to memory of 1520 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 6088 wrote to memory of 1520 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 1520 wrote to memory of 2780 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 1520 wrote to memory of 2780 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 1520 wrote to memory of 4664 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 1520 wrote to memory of 4664 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 2780 wrote to memory of 5252 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 2780 wrote to memory of 5252 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\unsecapp.exe
PID 5252 wrote to memory of 3808 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe
PID 5252 wrote to memory of 3808 N/A C:\Recovery\WindowsRE\unsecapp.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe

"C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\agentruntimeperf\vgGiWu1V4QvpHl7.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\agentruntimeperf\Dq65rEdkW9pnD0L6fJOs9W.bat" "

C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe

"C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\My Documents\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\My Documents\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\IMEJP\help\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\IME\IMEJP\help\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\IMEJP\help\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Recovery\WindowsRE\unsecapp.exe

"C:\Recovery\WindowsRE\unsecapp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38ac3c2a-f314-4710-b981-84eb51ef3a3e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdb94648-9fcc-4c16-99c9-d5bdc26a4a9d.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\095f2e49-acdd-4e6c-a1e6-037f20500a3c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f0602db-7c4e-47a9-a397-ce1c266e82fc.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c51665ca-a737-431b-8bb0-00ad60c59b0e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9813e787-cd73-4ae0-bff2-f1509b4ddbe1.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aee2bb53-6c3c-4b42-a51d-fdb66ddca660.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2ba544b-bad9-4b2c-82e7-027e40456557.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e15135f3-62af-4f55-bd90-6295a6463c8a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08d34ecb-8fa2-4ceb-9fb6-e5d2818d1ea0.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4ec5dab-ec83-46d2-aeae-3a11613e2bd5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\572c531d-652d-4378-9024-324d5a593f46.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d4b2bb3-c7b8-4232-aa3d-95bfbb08a5dd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c342f0b-4bdb-43f0-b42c-6418a9a707d9.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\735ac258-4e1e-4761-960d-8aa02da7749c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bedcbfef-4e6e-458a-ae20-c057aea91f55.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2993e3de-13cf-4cc2-b4ff-325f79dfdfb6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75840b2e-fb4f-468d-9f24-7a6d3e962575.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69169b55-ffe5-4530-b6b7-1a8f5fc66b95.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c59f4ef6-86a8-4635-95dd-3d9eb961dba3.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fa507fb-edac-4700-ae77-d63630b9d52d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9177ea3-c921-4ce0-9f03-42e7d72090e7.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e380bc9b-7ed2-4625-897c-f10fb67e9a5f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9e0d53f-0381-4eb1-8700-c88d575b2694.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a134271c-494a-423e-a638-7a169c72276c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71f0b916-1b5b-4159-83ea-931b3ab474e8.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa290b18-e870-4f24-893e-bc4fb911ec15.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e76b26f9-4f73-4645-961c-3de628f04ea6.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1b8f8b8-d3d2-4e55-b6e4-7463419bcff4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33cb9dca-e6f8-4dd2-b52e-faf17f83eb5f.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c7538d8-c5f8-4162-bf9c-9edcfb6eb481.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4362d34-fe4d-4dbd-bb8a-a5dd5028c1d7.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d968f471-df42-461e-b513-6f4d0874105a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23ee183b-e8bc-41da-97b1-766fb1548059.vbs"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c47d7458-7ebc-430a-9291-2f2600279c9a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e9fca2f-7506-4ae2-a6df-a358d04a2e5c.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 niganaga.tw1.ru udp

Files

memory/1440-0-0x0000000000B60000-0x0000000000F46000-memory.dmp

memory/1440-10-0x0000000000B60000-0x0000000000F46000-memory.dmp

C:\Users\Admin\AppData\Roaming\agentruntimeperf\vgGiWu1V4QvpHl7.vbe

MD5 4dad95df8fa0e085b45537e5be8778f6
SHA1 044c0c326db9f180d8c79f7fd7719fac3abc69d3
SHA256 b4c3908e82e611ee34d5b27906b7ea428f31cf3c6e37d19e49032ac5af938f0b
SHA512 4a089ec1b661a1b996781fcd813971b9ba43a4a0c4ba356dc0d78072bb03e62ceb8bda1f21f579c1a82662eeece15f2515a73b11863eeed5c11b5176e920d376

C:\Users\Admin\AppData\Roaming\agentruntimeperf\Dq65rEdkW9pnD0L6fJOs9W.bat

MD5 8f2fe00117d8cf1e8f32eb7bf7c5ab82
SHA1 952f7ed0a7bcc5ccc8a3dda8d32d12d3777f6be9
SHA256 02e8d359193b0ae24c55786b196b81fa9ca8851c0b36944547ab1c766ecf53ba
SHA512 6fd6a26b107c1542e84649a016ad6e523ed43f9b63b33b6efe96e89a73c0fdadcba4aa9786a399e8df4d2e7d8af79dbabfd4534648e76aae948b082e97a1e077

C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe

MD5 50c3534dacb3359079f8fca6b702e98e
SHA1 85cd176c6f7c97017547aaf9b1133ca3d1fb1885
SHA256 867cfd96b563631e0e2a1d89d784b47bf723194595b6dd301225fe608f6186de
SHA512 a3cb0ff747332f0d91a2126f63cf12ea44e00de2221ec83fcbec86dfff90384c62299a77e97916572ad723132123168505e005884c6c8329713eb3db9cbf2750

memory/4864-15-0x00007FF929CC3000-0x00007FF929CC5000-memory.dmp

memory/4864-16-0x0000000000200000-0x000000000030A000-memory.dmp

memory/4864-17-0x0000000002420000-0x0000000002428000-memory.dmp

memory/4864-18-0x0000000002430000-0x000000000243C000-memory.dmp

memory/4864-19-0x0000000002550000-0x000000000255C000-memory.dmp

memory/4864-20-0x00000000025B0000-0x00000000025BA000-memory.dmp

memory/4864-22-0x0000000002570000-0x000000000257C000-memory.dmp

memory/4864-21-0x0000000002560000-0x0000000002568000-memory.dmp

memory/532-65-0x0000024FF9900000-0x0000024FF9922000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgjh5gii.kot.psm1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\38ac3c2a-f314-4710-b981-84eb51ef3a3e.vbs

MD5 ad1939b98c7c21dfb30ea4b4ba1b4d3b
SHA1 11cbfd5c905d3134e067237d3ad701de37ec6703
SHA256 191466c7d19a4309577189d384ff49611dce3612de29476d7ce5e8f214d8aaf7
SHA512 392ff69faf99a46ea413700fec0f48fee86eaad1a2d857aaa392726dda97a8f417abf39cd07386623e97307f096792e563760c450057e10b6522f8b1f21965b4

C:\Users\Admin\AppData\Local\Temp\cdb94648-9fcc-4c16-99c9-d5bdc26a4a9d.vbs

MD5 26394524fd10807c1b8dd1f388eee584
SHA1 c89aa8511a574b57ffac5a219feabb95067a84f9
SHA256 f7d1355df334043d7def2ba55f04e20dffb6a3e00d7e7e024b7538be75126cec
SHA512 5ffd74e238cc4e382dc749ef12547f38b37780d8869a9028a99a3ce49931493331793a037ff50f5a7bb50cbe0f46870b3ad7fd0c1d79d26f7a192a1d589b2343

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\095f2e49-acdd-4e6c-a1e6-037f20500a3c.vbs

MD5 83c22793523cc20820e3ecee47204469
SHA1 e399ae3808bf007fce43b82927bc7c557e9e0fe8
SHA256 4aacfc26e5eb3f9349757663f47e5fe6c3a35b914aa5c7dd4398e6bc23bd9277
SHA512 04571619b1ef27e721586b9145ecee16a8045499325c0cc63418b468f123e3b5bdfd78c008c23edb5f8a8ff82acccf49b87e33ca9cdb5d3db86fa32d8da91e0d

C:\Users\Admin\AppData\Local\Temp\c51665ca-a737-431b-8bb0-00ad60c59b0e.vbs

MD5 addad0c7ad925179c2eacffbe6cdb1d9
SHA1 928e4fc41804822f85951702a45c158083b2089b
SHA256 ceddb55954d7c8e3641c0873c6e236fe5997f768291630241cb12219fff5702d
SHA512 f41a268400fab0f86c9d330a2fd502feefb6cc1a5554cdf8fd1557b18ea9b95c8e5ca6453a8fd1510ab9d903680ee27099b876df01b11fd913075b9bab68ff19

C:\Users\Admin\AppData\Local\Temp\aee2bb53-6c3c-4b42-a51d-fdb66ddca660.vbs

MD5 82d34c7e3919f3b47f326838aff1b696
SHA1 147f33539ec68166a28672cbd97d6ba768a385c6
SHA256 b73d0b291698b83e689e5f074ea0edc6998f71db44c35ade9439ac1f941e4c30
SHA512 36222f28d37e7f758fea15895b51cc1c95715a30967397fc2ca983f6dae4739f239697f785bf6f4cbd34acd0d8c7cc2daf0ac78a5d949c4c20a1bf650c1699b5

C:\Users\Admin\AppData\Local\Temp\e15135f3-62af-4f55-bd90-6295a6463c8a.vbs

MD5 62af778666934a3bcee6bfd82d8801db
SHA1 7b188db1ad5b37282f8cc364ffadb22f92f584ed
SHA256 14c80fa92ee22d36f36b56684482e4714b958e7e8b246c036feb65e6360c8fc0
SHA512 98ff9b225c028b8aa098feae2dc913d7b15199e92f7663328a3aeb6a87bf5513c386f6f1d2f422a92eae1e62e08a628266b5d4237b0aab4b50878bf9c5801198

C:\Users\Admin\AppData\Local\Temp\d4ec5dab-ec83-46d2-aeae-3a11613e2bd5.vbs

MD5 da1b384f56113a1c976aac4474d02416
SHA1 6bf3b74d370b6079e272aea079449c0f067594b8
SHA256 3545617a63ea7102015ce76f1101ad69c93624c4b6501847dbd9a0b7436a5296
SHA512 4580b4dddef4c60a216144fad3ae7abe594d352e02c74f7f1f2c4f0e98150d0f287c58202547bce62a836c25efe0a7279b64a309eee3aaa65571dc5313a2b40e

C:\Users\Admin\AppData\Local\Temp\8d4b2bb3-c7b8-4232-aa3d-95bfbb08a5dd.vbs

MD5 45adb68c5dffa8cabf470da62f5d1b3b
SHA1 9c8a85db712c206c8feed2a39c7cd273aa124928
SHA256 d95bfc615d3a4b583f380988af80e9c911084de8aca13190c713e3411151093e
SHA512 195bd67da80143b667f75407b9da2ec780ad4dfc03345ddaaee28d0e9c43ec2cec2f09f8796974c747589fd10d18745c0f5abf9e895113d8bddc233b8cbc4cd2

C:\Users\Admin\AppData\Local\Temp\735ac258-4e1e-4761-960d-8aa02da7749c.vbs

MD5 bd48459dfedef74068de18da8497a6db
SHA1 f3b2d5b34d263097a8ed9c88ebad3156e606ba28
SHA256 325da944e8c9293d887931aaa4e07666c9160a628eafee9bde0ba22eabf2151c
SHA512 852c57c06afea810ae67c43c4e07df9c4b54b7c9d38c7bc0316e33d84eb81352a81f4207ae0c309b2ed97424d634f0af1683dda966bcc71a71baad90af673b89

C:\Users\Admin\AppData\Local\Temp\2993e3de-13cf-4cc2-b4ff-325f79dfdfb6.vbs

MD5 48d62bb13887542d56318d4dfd4ae2d4
SHA1 dbe495177097e826729f2f7c81b53d7c55be7638
SHA256 d52eb67b44662df3bbca3f6ea0c44ab5fc0ff15c82697bec448f21cc42e68779
SHA512 8b50655c21c9a7406a4ff16c4ae0be7d461c5fff12e3c60572a50b493fadf79dca3a581270079a437c157118ef97c6971d49c2f49afaa58c5c1269646f8564ff

C:\Users\Admin\AppData\Local\Temp\69169b55-ffe5-4530-b6b7-1a8f5fc66b95.vbs

MD5 a58b8ebed29806b58df522f3e6618bf2
SHA1 a8af9feb50928bc23f7488a2e92d6004b4430622
SHA256 36c99e3cba11f999431cf507d88560336fc2463d65db0a954dfdc6fadcb881b2
SHA512 4effc3d5906dab8269553dc3dca2df9a887c9108d8503fc17c565b0740a72f23eb2b1dcaa09cb705627952efb483076775e1fcbb5427d9e1116d19db808c8576

C:\Users\Admin\AppData\Local\Temp\2fa507fb-edac-4700-ae77-d63630b9d52d.vbs

MD5 5a6f446f6dfebf53ce2b8fc5a39bd668
SHA1 bda1251f7e1f633f924982e87adb41610b6f07f0
SHA256 878d9a03bf0787c6d730d2779f020df16f5ad74c8088febc87720a23edb551dd
SHA512 792b8c4eb1482efe5023691bee17accb260c59b506f9949fcb784388ab58b526c8ea28dd43cb46392f87589d8b159c1bcfadb83800d965a7e6d61f706bd1590d

C:\Users\Admin\AppData\Local\Temp\e380bc9b-7ed2-4625-897c-f10fb67e9a5f.vbs

MD5 a82185a84cc513be5ff35a0afec2206f
SHA1 7c802111c04453add33d2a4bec468536b9b469b5
SHA256 5df7db4eacd5270bbb7a89cccf3218bc2a179ea27952886e73fb66f912afe60e
SHA512 337a95fb67ac750ed057fe624a0c7d60bc345625e477fee64f37142b7ab0bc71c350c8cebfc333b16eeace7019dc5d8d9506f730cf28de74d19484beb5a9dae6