Malware Analysis Report

2025-03-15 04:39

Sample ID 241027-1fwnkszrhl
Target 93ADC545175ABEC10A0925CCE209DB34.exe
SHA256 12137b32413d31781f51a13c09bd541efe0f27f270108d247099434df1d3b37f
Tags
discovery execution persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12137b32413d31781f51a13c09bd541efe0f27f270108d247099434df1d3b37f

Threat Level: Known bad

The file 93ADC545175ABEC10A0925CCE209DB34.exe was found to be: Known bad.

Malicious Activity Summary

discovery execution persistence spyware stealer

Process spawned unexpected child process

Modifies WinLogon for persistence

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Runs ping.exe

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 21:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 21:36

Reported

2024-10-27 21:38

Platform

win7-20240903-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\", \"C:\\Windows\\System32\\it\\csrss.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\", \"C:\\Windows\\System32\\it\\csrss.exe\", \"C:\\MsContainerwinHost\\lsass.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\sppsvc.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\sppsvc.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\it\\csrss.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\sppsvc.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\sppsvc.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\it\\csrss.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MsContainerwinHost\\lsass.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MsContainerwinHost\\lsass.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSCE36A15B8482D4EC8BA86DD65FA3CAB32.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\byyuy-.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Windows\System32\it\csrss.exe C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
File created C:\Windows\System32\it\886983d96e3d3e C:\MsContainerwinHost\comagentFontsavescommon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
File created C:\Program Files\Windows Photo Viewer\ja-JP\0a1fd5f707cd16 C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
File created C:\Program Files (x86)\Internet Explorer\it-IT\dwm.exe C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
File created C:\Program Files (x86)\Internet Explorer\it-IT\6cb0b6c459d5d3 C:\MsContainerwinHost\comagentFontsavescommon.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2448 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe C:\Windows\SysWOW64\WScript.exe
PID 2448 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe C:\Windows\SysWOW64\WScript.exe
PID 2448 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe C:\Windows\SysWOW64\WScript.exe
PID 2448 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe C:\Windows\SysWOW64\WScript.exe
PID 2480 wrote to memory of 856 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 856 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 856 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 856 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\MsContainerwinHost\comagentFontsavescommon.exe
PID 856 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\MsContainerwinHost\comagentFontsavescommon.exe
PID 856 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\MsContainerwinHost\comagentFontsavescommon.exe
PID 856 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\MsContainerwinHost\comagentFontsavescommon.exe
PID 2772 wrote to memory of 1572 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2772 wrote to memory of 1572 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2772 wrote to memory of 1572 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1572 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1572 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1572 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2772 wrote to memory of 3012 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 3012 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 3012 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 3008 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 3008 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 3008 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2908 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2908 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2908 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2220 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2220 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2220 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2236 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2236 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2236 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2508 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\cmd.exe
PID 2772 wrote to memory of 2508 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\cmd.exe
PID 2772 wrote to memory of 2508 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\cmd.exe
PID 2508 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2508 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2508 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2508 wrote to memory of 2488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2508 wrote to memory of 2488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2508 wrote to memory of 2488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2508 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe
PID 2508 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe
PID 2508 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe
PID 2508 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe
PID 2508 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe

"C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MsContainerwinHost\XbzxyZcOnpQflcdDpiS9CmpLat40p7m47ZcP1aBzUSB3men3gAnTOw07Azp.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\MsContainerwinHost\pHO8PqclKXULkE03ccrG.bat" "

C:\MsContainerwinHost\comagentFontsavescommon.exe

"C:\MsContainerwinHost/comagentFontsavescommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zjtl1l1g\zjtl1l1g.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F6.tmp" "c:\Windows\System32\CSCE36A15B8482D4EC8BA86DD65FA3CAB32.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\System32\it\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\it\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\it\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MsContainerwinHost\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MsContainerwinHost\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MsContainerwinHost\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\it\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsContainerwinHost\lsass.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e6uH18j37v.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe

"C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe"

Network

Country Destination Domain Proto
RU 80.66.89.37:80 80.66.89.37 tcp
RU 80.66.89.37:80 80.66.89.37 tcp
RU 80.66.89.37:80 80.66.89.37 tcp
RU 80.66.89.37:80 80.66.89.37 tcp

Files

C:\MsContainerwinHost\XbzxyZcOnpQflcdDpiS9CmpLat40p7m47ZcP1aBzUSB3men3gAnTOw07Azp.vbe

MD5 3c50898e9195eb3c1d7c8cea93468019
SHA1 3b962be0c805f2f2a09c5c1794964c8159429bc4
SHA256 10b09e9cc88f3bd4235046dbf39868d6f7a04fedd84da0d2fafea869dcbba32f
SHA512 d6b15f2f9ba5bcdbefc9089eb3af061be7ccaaefd63ffc452aa394bafd9084d8bcef3c758284fbb4ca44d64a824ff35c74338e4aa366854b6f33e51055d27a1b

C:\MsContainerwinHost\pHO8PqclKXULkE03ccrG.bat

MD5 353975b28ea6dfcd7b3ee7c2222fc2bf
SHA1 fb9cfcb87c2e971ff15ca8c84ad532fc01de3621
SHA256 f0afad62ce1c068549a41b3c6a227dc2f93150b12932fa3b4aad475e010455b0
SHA512 6202b04157c2464b85dd07eb51fd96a80140c2d12d7715df74cb9a77140cfc63c7997d303b2607d7b92dd672cdadf1ba9c0dd0ec34e3ad8fc907f8b018fd09fa

\MsContainerwinHost\comagentFontsavescommon.exe

MD5 c1be88dd3db1295cc201b02d8a17e77f
SHA1 45ae6da495be64a0d3d39cd39147a05711b228dc
SHA256 f904ec745306831a78366b38809a00d5b90e9c950f035ee0a1d4154d34191405
SHA512 cd9a0ecefe5566f33656761d9c5d3e7b157f674f5638c0f2616941726580885f2566f93dcb80b4e266aaf9b3a068beb6acd6f32d960090a776065e30d59ae757

memory/2772-13-0x0000000000C50000-0x0000000000E9E000-memory.dmp

memory/2772-15-0x0000000000420000-0x000000000042E000-memory.dmp

memory/2772-17-0x0000000000A90000-0x0000000000AAC000-memory.dmp

memory/2772-19-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2772-21-0x0000000000AB0000-0x0000000000AC8000-memory.dmp

memory/2772-23-0x00000000009E0000-0x00000000009EE000-memory.dmp

memory/2772-25-0x0000000000A70000-0x0000000000A7C000-memory.dmp

memory/2772-27-0x0000000000A80000-0x0000000000A90000-memory.dmp

memory/2772-29-0x0000000000AF0000-0x0000000000B06000-memory.dmp

memory/2772-31-0x0000000000B10000-0x0000000000B22000-memory.dmp

memory/2772-33-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

memory/2772-35-0x0000000000BD0000-0x0000000000BE8000-memory.dmp

memory/2772-37-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zjtl1l1g\zjtl1l1g.cmdline

MD5 2982a48d8cc00de54dab80852f18866c
SHA1 1a41b3869e3c93e7b767875ead3f48bf15a1fffa
SHA256 fada2175f31c94fc0e0a4b87112236170448cdb9ac129b68cd88ea4a70edc029
SHA512 0eb46cfe7b6847a99314da52c0b18283932d3dd5bd1d1d9079f318005b5ab7177907acaa302d053e7bb6fc9e386afd8097f8ab87baae5cbda1f8ccf3e1c91692

\??\c:\Users\Admin\AppData\Local\Temp\zjtl1l1g\zjtl1l1g.0.cs

MD5 7fd347e1c7f3d1365fea314828d5beac
SHA1 666e046bfa9e53f299105a1d0d4facc1a334a62f
SHA256 95eaf06e3d592783dfa8b94c2eb63543b80dac5d17bce20ce13cc0402674c97d
SHA512 b8cfc7005da264f648da3815e2843deaaa35ef21cfe7862225b9f43668f66d2c5bf457c9fb0387ef1f25ecbaf689f7e9873415f5aab61a2a6c3accc24e528b85

\??\c:\Windows\System32\CSCE36A15B8482D4EC8BA86DD65FA3CAB32.TMP

MD5 078586b266e519b5c113064d7a0bf45c
SHA1 a9395c0ef35add5c75591ebb94c85c1f33f408bf
SHA256 ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e
SHA512 5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

C:\Users\Admin\AppData\Local\Temp\RES8F6.tmp

MD5 b28b54de0b6298bb57209e81b21762dc
SHA1 9626b3357323e2df265e65ab1167e58fe2913295
SHA256 0aa48b82bae55bc514381dd5975ce75a5888bac016ea23275581e18d46b7387c
SHA512 ed8f6094fcbb91e7888e82c1697e0f029fe16c913982ad528d41afc25744882389e1e1e65288117dd9d0558c13a7a277b72b5744b05b92a0892495065605f577

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 703475b363326984b2083fe23a6b75b1
SHA1 8f3ebb3ba3ad18120824f2d865524914f10130e0
SHA256 5c83f399bbac0871d03a25bdde539182bf9c9ed67ad711501d667d5e899c534a
SHA512 4c4f0699f927b0798acd31efafb27d69beb0c8f6644435438f2cfad4e7c574b4890954d773e11638e27b187bf44f6fd4f1026c3ca474c3ac12bbac2b750bcf06

memory/3012-88-0x000000001B670000-0x000000001B952000-memory.dmp

memory/3008-89-0x0000000002720000-0x0000000002728000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e6uH18j37v.bat

MD5 e772bf2b98dccf9e6eeaf9ff6cd3c56e
SHA1 0bb2614e6dae74a7d65059fbe791dee77e59ed2c
SHA256 565d738a43cba674b50b2e2ecff9a6ed73a61d9436836576294f7661a0e4d3b7
SHA512 173f11441c3040016f863d054b94660c1ab0ccdbafb0625e1d2daf9a6ed8155d56c955a6d6a4173c28368a667412c579eeca75d4580206d7f89ebaec264d5f1e

memory/2344-93-0x00000000000A0000-0x00000000002EE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 21:36

Reported

2024-10-27 21:38

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\", \"C:\\MsContainerwinHost\\unsecapp.exe\", \"C:\\Windows\\PolicyDefinitions\\conhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\", \"C:\\MsContainerwinHost\\unsecapp.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\", \"C:\\MsContainerwinHost\\unsecapp.exe\", \"C:\\Windows\\PolicyDefinitions\\conhost.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\", \"C:\\MsContainerwinHost\\unsecapp.exe\", \"C:\\Windows\\PolicyDefinitions\\conhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\RuntimeBroker.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\MsContainerwinHost\comagentFontsavescommon.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\Windows\PolicyDefinitions\conhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\RuntimeBroker.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\VideoLAN\\VLC\\SearchApp.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\MsContainerwinHost\\unsecapp.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\PolicyDefinitions\\conhost.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\MsContainerwinHost\\unsecapp.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\PolicyDefinitions\\conhost.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\RuntimeBroker.exe\"" C:\MsContainerwinHost\comagentFontsavescommon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC254CE15FA28448E792A23A14DFFD392D.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\-63gkj.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\SearchApp.exe C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\SearchApp.exe C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
File created C:\Program Files\VideoLAN\VLC\38384e6a620884 C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
File created C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
File created C:\Program Files\WindowsPowerShell\Configuration\Schema\9e8d7a4ca61bd9 C:\MsContainerwinHost\comagentFontsavescommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PolicyDefinitions\conhost.exe C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
File created C:\Windows\PolicyDefinitions\088424020bedd6 C:\MsContainerwinHost\comagentFontsavescommon.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\MsContainerwinHost\comagentFontsavescommon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
N/A N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\PolicyDefinitions\conhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\MsContainerwinHost\comagentFontsavescommon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\PolicyDefinitions\conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4412 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe C:\Windows\SysWOW64\WScript.exe
PID 4412 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe C:\Windows\SysWOW64\WScript.exe
PID 4412 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe C:\Windows\SysWOW64\WScript.exe
PID 4744 wrote to memory of 2056 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 2056 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 2056 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\MsContainerwinHost\comagentFontsavescommon.exe
PID 2056 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\MsContainerwinHost\comagentFontsavescommon.exe
PID 4920 wrote to memory of 4280 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4920 wrote to memory of 4280 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4280 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4280 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4920 wrote to memory of 3204 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3204 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 1128 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 1128 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3468 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3468 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4068 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4068 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3000 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3000 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4688 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\cmd.exe
PID 4920 wrote to memory of 4688 N/A C:\MsContainerwinHost\comagentFontsavescommon.exe C:\Windows\System32\cmd.exe
PID 4688 wrote to memory of 4056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4688 wrote to memory of 4056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4688 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4688 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4688 wrote to memory of 3084 N/A C:\Windows\System32\cmd.exe C:\Windows\PolicyDefinitions\conhost.exe
PID 4688 wrote to memory of 3084 N/A C:\Windows\System32\cmd.exe C:\Windows\PolicyDefinitions\conhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe

"C:\Users\Admin\AppData\Local\Temp\93ADC545175ABEC10A0925CCE209DB34.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MsContainerwinHost\XbzxyZcOnpQflcdDpiS9CmpLat40p7m47ZcP1aBzUSB3men3gAnTOw07Azp.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\MsContainerwinHost\pHO8PqclKXULkE03ccrG.bat" "

C:\MsContainerwinHost\comagentFontsavescommon.exe

"C:\MsContainerwinHost/comagentFontsavescommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vfsew3fg\vfsew3fg.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7C9.tmp" "c:\Windows\System32\CSC254CE15FA28448E792A23A14DFFD392D.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\MsContainerwinHost\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\MsContainerwinHost\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\MsContainerwinHost\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\SearchApp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsContainerwinHost\unsecapp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JXdCwbXGR5.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\PolicyDefinitions\conhost.exe

"C:\Windows\PolicyDefinitions\conhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 80.66.89.37:80 80.66.89.37 tcp
RU 80.66.89.37:80 80.66.89.37 tcp
US 8.8.8.8:53 37.89.66.80.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 80.66.89.37:80 80.66.89.37 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 80.66.89.37:80 80.66.89.37 tcp
RU 80.66.89.37:80 80.66.89.37 tcp
RU 80.66.89.37:80 80.66.89.37 tcp

Files

C:\MsContainerwinHost\XbzxyZcOnpQflcdDpiS9CmpLat40p7m47ZcP1aBzUSB3men3gAnTOw07Azp.vbe

MD5 3c50898e9195eb3c1d7c8cea93468019
SHA1 3b962be0c805f2f2a09c5c1794964c8159429bc4
SHA256 10b09e9cc88f3bd4235046dbf39868d6f7a04fedd84da0d2fafea869dcbba32f
SHA512 d6b15f2f9ba5bcdbefc9089eb3af061be7ccaaefd63ffc452aa394bafd9084d8bcef3c758284fbb4ca44d64a824ff35c74338e4aa366854b6f33e51055d27a1b

C:\MsContainerwinHost\pHO8PqclKXULkE03ccrG.bat

MD5 353975b28ea6dfcd7b3ee7c2222fc2bf
SHA1 fb9cfcb87c2e971ff15ca8c84ad532fc01de3621
SHA256 f0afad62ce1c068549a41b3c6a227dc2f93150b12932fa3b4aad475e010455b0
SHA512 6202b04157c2464b85dd07eb51fd96a80140c2d12d7715df74cb9a77140cfc63c7997d303b2607d7b92dd672cdadf1ba9c0dd0ec34e3ad8fc907f8b018fd09fa

C:\MsContainerwinHost\comagentFontsavescommon.exe

MD5 c1be88dd3db1295cc201b02d8a17e77f
SHA1 45ae6da495be64a0d3d39cd39147a05711b228dc
SHA256 f904ec745306831a78366b38809a00d5b90e9c950f035ee0a1d4154d34191405
SHA512 cd9a0ecefe5566f33656761d9c5d3e7b157f674f5638c0f2616941726580885f2566f93dcb80b4e266aaf9b3a068beb6acd6f32d960090a776065e30d59ae757

memory/4920-12-0x00007FFE56CF3000-0x00007FFE56CF5000-memory.dmp

memory/4920-13-0x0000000000030000-0x000000000027E000-memory.dmp

memory/4920-15-0x0000000000E40000-0x0000000000E4E000-memory.dmp

memory/4920-17-0x0000000000EB0000-0x0000000000ECC000-memory.dmp

memory/4920-18-0x000000001AF50000-0x000000001AFA0000-memory.dmp

memory/4920-20-0x0000000000E90000-0x0000000000EA0000-memory.dmp

memory/4920-22-0x0000000000EF0000-0x0000000000F08000-memory.dmp

memory/4920-24-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

memory/4920-26-0x0000000000ED0000-0x0000000000EDC000-memory.dmp

memory/4920-28-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

memory/4920-30-0x00000000014D0000-0x00000000014E6000-memory.dmp

memory/4920-32-0x000000001AFA0000-0x000000001AFB2000-memory.dmp

memory/4920-33-0x000000001C7E0000-0x000000001CD08000-memory.dmp

memory/4920-35-0x00000000014B0000-0x00000000014BE000-memory.dmp

memory/4920-37-0x000000001C2B0000-0x000000001C2C8000-memory.dmp

memory/4920-39-0x00000000014C0000-0x00000000014CC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\vfsew3fg\vfsew3fg.cmdline

MD5 473d383eab773382fdc36f3dc3e21a66
SHA1 b0f4c5f7a4e9fa023372083d6503203f23fb1023
SHA256 da2ed2cc7db5dbbecbe2288ee11c0e089e29c0264efdd378fc9cf6f227b686ea
SHA512 be12a1e971d06324472eb822c4e90151b24f902173c0cb53c969f75b0c940b7fda6bca32406fe67dc8e96e0a375e3c2bc6bab3436bf93ba50935e0ec9d215ca3

\??\c:\Users\Admin\AppData\Local\Temp\vfsew3fg\vfsew3fg.0.cs

MD5 c50ce1596750a294c1eb612e42d16e60
SHA1 92d7f48133d3a6491adfd59ff16177ff136a2ad0
SHA256 2cf5a7e1510e8e012bd29fc5ae50a5e6061e3013e7858bcc4b88aa6406964c4f
SHA512 2672b1528ade372b538a8a36e656a6edd856ab544b2d6203892f32c70c2e361614dbce5eee6b6a7d9cbe8a4728d6f6f30e15482872f53cb4a6f17917a2c7325b

\??\c:\Windows\System32\CSC254CE15FA28448E792A23A14DFFD392D.TMP

MD5 82a7b8ef3bc275711e3b27c6df93c7ff
SHA1 bdac909f26475c94c74145576bcf22adb0f8203c
SHA256 582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124
SHA512 f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248

C:\Users\Admin\AppData\Local\Temp\RESA7C9.tmp

MD5 6ab8454b524a53c061105ff324580b07
SHA1 eb986e755575a2b7055d2cd9a369d7905e5c5e5c
SHA256 76fe48ded928d9ea95e089db37e9491d12ef2337b669c9b3f16ce7a6e3114935
SHA512 5970f06b9836bad027957eb675aea0899e80d5c779ed52a38aba426ee42ae29ac8cbecfc6db24af987bf43d8cf9029ca19c3b31ffe942b3a9c1737cfcb51b136

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_epajmdvr.gtl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4068-73-0x0000021679620000-0x0000021679642000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JXdCwbXGR5.bat

MD5 a69d3dc7c1acfa7d32dce6f0397a2fb3
SHA1 1fd81c4c271a25f4bd931e3faafd8d5b1788a5b8
SHA256 0c5b90db8513aa96e8bc6492cb5c2d431c6e12e408f382346f3eaece29abe7c0
SHA512 8709d4389eb02efa531f0346af6c6aec2bd56038bbba24b321c1f48201026bb7c0a1de8004cfcb43279b5218afbcd763cf2eae9152df58d325002fb50a88e846

memory/1128-116-0x000002623EFB0000-0x000002623F11A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/4068-120-0x0000021679930000-0x0000021679A9A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

memory/3000-126-0x0000019AF4470000-0x0000019AF45DA000-memory.dmp

memory/3204-125-0x000001DC54BD0000-0x000001DC54D3A000-memory.dmp

memory/3468-129-0x000001447AE60000-0x000001447AFCA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

memory/3084-145-0x000000001C0B0000-0x000000001C0B8000-memory.dmp