Analysis Overview
SHA256
34646a46c7823387ef84784c27a8ddbecd27172c2c0d7774142b6c3bb294105e
Threat Level: Known bad
The file SecuriteInfo.com.Win64.RATX-gen.28952.31676.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
njRAT/Bladabindi
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops startup file
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-26 16:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 16:32
Reported
2024-07-26 16:34
Platform
win7-20240705-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\dllhost.exe" | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
njRAT/Bladabindi
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.RATX-gen.28952.31676.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.RATX-gen.28952.31676.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionProcess "SecuriteInfo.com.Win64.RATX-gen.28952.31676.exe";Add-MpPreference -ExclusionProcess "svchost.exe";Add-MpPreference -ExclusionProcess "Windows.exe";Add-MpPreference -ExclusionPath "Windows.exe";Add-MpPreference -ExclusionPath "svchost.exe";Add-MpPreference -ExclusionProcess ".exe";Add-MpPreference -ExclusionProcess "exe";Add-MpPreference -ExclusionPath 'C:\';Add-MpPreference -ExclusionPath '%AppData%\Microsoft\Windows';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe"
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe"
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 5
C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "ChromeUpdate" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {62D7ECED-5CE1-4138-97DA-02F8CD5739CF} S-1-5-21-2172136094-3310281978-782691160-1000:EXCFTDUU\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
Network
| Country | Destination | Domain | Proto |
| NL | 167.71.14.135:80 | 167.71.14.135 | tcp |
| US | 8.8.8.8:53 | kgb963.duckdns.org | udp |
| NL | 167.71.14.135:1118 | kgb963.duckdns.org | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.16.170.123:80 | crl.microsoft.com | tcp |
Files
memory/1596-0-0x000007FEF6173000-0x000007FEF6174000-memory.dmp
memory/1596-1-0x000000013F230000-0x000000013F240000-memory.dmp
memory/1688-6-0x000007FEF2E6E000-0x000007FEF2E6F000-memory.dmp
memory/1688-7-0x000000001B560000-0x000000001B842000-memory.dmp
memory/1688-8-0x00000000022E0000-0x00000000022E8000-memory.dmp
memory/1688-9-0x000007FEF2BB0000-0x000007FEF354D000-memory.dmp
memory/1688-12-0x000007FEF2BB0000-0x000007FEF354D000-memory.dmp
memory/1688-11-0x000007FEF2BB0000-0x000007FEF354D000-memory.dmp
memory/1688-10-0x000007FEF2BB0000-0x000007FEF354D000-memory.dmp
memory/1688-13-0x000007FEF2BB0000-0x000007FEF354D000-memory.dmp
memory/1596-14-0x000000001B990000-0x000000001BA10000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe
| MD5 | daaccc9d9770ccaa2f1debe2fe91c08b |
| SHA1 | bfd533d27be470ac2c55965853a54611f6584267 |
| SHA256 | 740c0c74cf7d84ea29dbcc80f7e459a499a8bec5ca64ec6b4e46a521431fe192 |
| SHA512 | a3034320e5f897aa73f58e5abe086bfa7a1b099402ce261d88a6054bfb19341a108afcaf3b2aa0057507aea247eb1ff8dd4478231774e7049a79617c7a8ce955 |
memory/2988-21-0x0000000000FF0000-0x000000000107E000-memory.dmp
memory/2552-39-0x00000000002E0000-0x000000000036E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 16:32
Reported
2024-07-26 16:34
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\dllhost.exe" | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
njRAT/Bladabindi
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.RATX-gen.28952.31676.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.RATX-gen.28952.31676.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.RATX-gen.28952.31676.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionProcess "SecuriteInfo.com.Win64.RATX-gen.28952.31676.exe";Add-MpPreference -ExclusionProcess "svchost.exe";Add-MpPreference -ExclusionProcess "Windows.exe";Add-MpPreference -ExclusionPath "Windows.exe";Add-MpPreference -ExclusionPath "svchost.exe";Add-MpPreference -ExclusionProcess ".exe";Add-MpPreference -ExclusionProcess "exe";Add-MpPreference -ExclusionPath 'C:\';Add-MpPreference -ExclusionPath '%AppData%\Microsoft\Windows';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe"
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe"
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 5
C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "ChromeUpdate" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 167.71.14.135:80 | 167.71.14.135 | tcp |
| US | 8.8.8.8:53 | 135.14.71.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kgb963.duckdns.org | udp |
| NL | 167.71.14.135:1118 | kgb963.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2428-0-0x00007FFF2AFB3000-0x00007FFF2AFB5000-memory.dmp
memory/2428-1-0x0000000000B20000-0x0000000000B30000-memory.dmp
memory/4864-2-0x000001DA22520000-0x000001DA22542000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlwtoinx.sj0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4864-12-0x00007FFF2AFB0000-0x00007FFF2BA71000-memory.dmp
memory/4864-13-0x00007FFF2AFB0000-0x00007FFF2BA71000-memory.dmp
memory/4864-14-0x00007FFF2AFB0000-0x00007FFF2BA71000-memory.dmp
memory/4864-17-0x00007FFF2AFB0000-0x00007FFF2BA71000-memory.dmp
memory/2428-18-0x00007FFF2AFB0000-0x00007FFF2BA71000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Windows.exe
| MD5 | daaccc9d9770ccaa2f1debe2fe91c08b |
| SHA1 | bfd533d27be470ac2c55965853a54611f6584267 |
| SHA256 | 740c0c74cf7d84ea29dbcc80f7e459a499a8bec5ca64ec6b4e46a521431fe192 |
| SHA512 | a3034320e5f897aa73f58e5abe086bfa7a1b099402ce261d88a6054bfb19341a108afcaf3b2aa0057507aea247eb1ff8dd4478231774e7049a79617c7a8ce955 |
memory/2428-28-0x00007FFF2AFB0000-0x00007FFF2BA71000-memory.dmp
memory/4984-29-0x00000000002B0000-0x000000000033E000-memory.dmp
memory/4984-30-0x0000000004CE0000-0x0000000004D7C000-memory.dmp
memory/4984-31-0x0000000005330000-0x00000000058D4000-memory.dmp
memory/4984-32-0x0000000005090000-0x0000000005122000-memory.dmp
memory/1400-46-0x0000000005520000-0x000000000552A000-memory.dmp
memory/1400-48-0x00000000064B0000-0x0000000006516000-memory.dmp
memory/1400-49-0x0000000006480000-0x0000000006498000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
| MD5 | 50045c5c59ae3eb2db5452fb39e13335 |
| SHA1 | 56226b40d4458df7e92f802381401e4183c97cb2 |
| SHA256 | b90b2a4ba2c69f094edce48807ad1873b1265c83795139fbf4576697fe65cae9 |
| SHA512 | bb20f9389e69e4a17fa254bd3b77212797f3be159ec6129b3a1501db3e24fb7b12096fbdbfcc93c24ecdb3cea88eae8a58e279b39c0777b6a4e9d4c15057faa4 |