Malware Analysis Report

2025-08-10 14:27

Sample ID 230405-r75wwshd6w
Target a26ae5eb4e86ca54a1d338220318c43b.exe
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
Tags
dcrat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

Threat Level: Known bad

The file a26ae5eb4e86ca54a1d338220318c43b.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer persistence rat

Modifies WinLogon for persistence

DcRat

Process spawned unexpected child process

DCRat payload

Checks computer location settings

Executes dropped EXE

Deletes itself

Loads dropped DLL

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-05 14:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-05 14:51

Reported

2023-04-05 14:53

Platform

win7-20230220-en

Max time kernel

114s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\Network Sharing\taskhost.exe C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
File created C:\Program Files\Internet Explorer\images\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
File created C:\Program Files\Internet Explorer\images\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
File created C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
File created C:\Program Files (x86)\Windows Defender\de-DE\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PLA\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
File created C:\Windows\PLA\Rules\en-US\smss.exe C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
File created C:\Windows\PLA\Rules\en-US\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
File created C:\Windows\PLA\winlogon.exe C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
File opened for modification C:\Windows\PLA\winlogon.exe C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe
PID 1700 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe
PID 1700 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe
PID 1700 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe
PID 992 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe
PID 992 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe
PID 992 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe
PID 992 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe
PID 852 wrote to memory of 300 N/A C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 300 N/A C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 300 N/A C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 300 N/A C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe C:\Windows\SysWOW64\cmd.exe
PID 300 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 300 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 300 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 300 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 336 wrote to memory of 1688 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe
PID 336 wrote to memory of 1688 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe
PID 336 wrote to memory of 1688 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe
PID 336 wrote to memory of 1688 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe

"C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PLA\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe

"C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Network Sharing\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Network Sharing\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /rl HIGHEST /f

C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe

"C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "a26ae5eb4e86ca54a1d338220318c43b" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "a26ae5eb4e86ca54a1d338220318c43ba" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "lsass" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "lsassl" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "Idle" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "IdleI" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "taskhost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "taskhostt" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "Idle" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "IdleI" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "Idle" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "IdleI" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat" "

C:\Windows\SysWOW64\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 battletw.beget.tech udp
RU 91.106.207.112:80 battletw.beget.tech tcp
RU 91.106.207.112:80 battletw.beget.tech tcp
RU 91.106.207.112:80 battletw.beget.tech tcp

Files

memory/1700-54-0x0000000000350000-0x00000000003A6000-memory.dmp

memory/1700-55-0x0000000006E00000-0x0000000006EDC000-memory.dmp

memory/1700-56-0x0000000004910000-0x0000000004950000-memory.dmp

memory/1700-57-0x0000000000870000-0x00000000008C6000-memory.dmp

memory/992-66-0x0000000004A80000-0x0000000004AC0000-memory.dmp

C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\lsass.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

memory/852-81-0x0000000000CF0000-0x0000000000D46000-memory.dmp

memory/852-82-0x0000000004BC0000-0x0000000004C00000-memory.dmp

memory/852-83-0x0000000004BC0000-0x0000000004C00000-memory.dmp

C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\lsass.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\6203df4a6bafc7

MD5 b69302340b37e76e74de8d4109602041
SHA1 4bee9f75b6da8e61d6e65ad870863a287233be09
SHA256 3d9b4f3d953752987c4786aedddd4becff9ae0b8d54fd22ce288644a2c71cb79
SHA512 d2f9234cb78da4b48df5dedd5806580f8ac09e5321a242deb648f68a9715652810d0717a93adced03749c4a7123fedc176999420d1ce751f479a959a2082b02e

C:\Program Files\Windows Media Player\Network Sharing\taskhost.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

C:\Program Files\Windows Media Player\Network Sharing\b75386f1303e64

MD5 b5ff98415b8c67ec2767948559fd6f03
SHA1 8afe2d812280b1479aa0b40b27137855e8632289
SHA256 5fdc5fa825a540834b281ae0b358e6b1f63f97898c8bb448320b5daba17e3a6d
SHA512 852bd749576e171e8bf26355f20d086bcaf41c67028eb2e4bba53679479e59f495bfb92b9212383a310cb52e5e01582ecd2e7639876afbb677040ca2527070b2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\6ccacd8608530f

MD5 3eb774bb6e5e4a9835fd959c11c978af
SHA1 f66469e8076bd342c2299427b186b50fb9f70fdf
SHA256 00fe11debc2e6f425ffad932301c0897eb4f6e3f92e2d1daecde95aeb389886a
SHA512 a9229d484adf7e11654b0a6c99dfff2093f6e60587d04de0d53c29574f4cbf360eeb6ee71f52ed6a77d6c9c6c2641a6cd1d2e4f0dc0bcc64452a8e34862e1795

C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat

MD5 d56e3c754e4aae93b45349cee7b36926
SHA1 32f21bbdb6ca78fdb7ce7f6583d94a7762de9e7b
SHA256 32aeaf06e325c898a57d59618ba4b91b8bde6a31608fa27ce9bcc77780517920
SHA512 0820f3a1dc972ce9c8267674b2736112a04dbd35ed5620629d7844a39c70c82e17f39e82520c9955397df3f0b4f25111dadf1e3086a2c341d54d202a4cbf802b

C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat

MD5 d56e3c754e4aae93b45349cee7b36926
SHA1 32f21bbdb6ca78fdb7ce7f6583d94a7762de9e7b
SHA256 32aeaf06e325c898a57d59618ba4b91b8bde6a31608fa27ce9bcc77780517920
SHA512 0820f3a1dc972ce9c8267674b2736112a04dbd35ed5620629d7844a39c70c82e17f39e82520c9955397df3f0b4f25111dadf1e3086a2c341d54d202a4cbf802b

C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\6ccacd8608530f

MD5 5da69b9322ea31c0ea607b09226235c5
SHA1 6369954872e29cb5008b31d2c86719715bf2235f
SHA256 9fcce6b17470426b1eb06e5f10d49a01f8094c96d4d3692846f2727fd37cc38b
SHA512 2ca1d8a7277fa4514731049686468f04ae017630eb5376d847ce4890836e35ec71dd09e52fce708e979b28bbcdfa0a6015db7c7c9e5d6275f723c629f649e667

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-05 14:51

Reported

2023-04-05 14:53

Platform

win10v2004-20230220-en

Max time kernel

115s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" C:\odt\RuntimeBroker.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\odt\RuntimeBroker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\odt\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe N/A
Token: SeDebugPrivilege N/A C:\odt\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 1896 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 1896 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 1156 wrote to memory of 4884 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe
PID 1156 wrote to memory of 4884 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe
PID 1896 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\odt\RuntimeBroker.exe
PID 1896 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\odt\RuntimeBroker.exe
PID 1896 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\odt\RuntimeBroker.exe
PID 4652 wrote to memory of 2472 N/A C:\odt\RuntimeBroker.exe C:\Windows\SysWOW64\cmd.exe
PID 4652 wrote to memory of 2472 N/A C:\odt\RuntimeBroker.exe C:\Windows\SysWOW64\cmd.exe
PID 4652 wrote to memory of 2472 N/A C:\odt\RuntimeBroker.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 2472 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 2472 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 2836 wrote to memory of 4508 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe
PID 2836 wrote to memory of 4508 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe

"C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Music\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TJ7YMgAEku.bat"

C:\Windows\SysWOW64\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\RuntimeBroker.exe

"C:\odt\RuntimeBroker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "a26ae5eb4e86ca54a1d338220318c43b" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "a26ae5eb4e86ca54a1d338220318c43ba" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "Idle" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "IdleI" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "spoolsv" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "spoolsvs" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "WmiPrvSE" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "csrss" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "WmiPrvSEW" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "csrssc" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "RuntimeBroker" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "RuntimeBrokerR" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dllhost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dllhostd" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "wininit" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "wininitw" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dwm" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dwmd" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "RuntimeBroker" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "RuntimeBrokerR" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat" "

C:\Windows\SysWOW64\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 battletw.beget.tech udp
RU 91.106.207.112:80 battletw.beget.tech tcp
RU 91.106.207.112:80 battletw.beget.tech tcp
US 8.8.8.8:53 112.207.106.91.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 20.189.173.5:443 tcp
NL 8.238.20.126:80 tcp
NL 8.238.20.126:80 tcp
NL 173.223.113.164:443 tcp
BE 23.55.97.181:80 tcp
US 131.253.33.203:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
RU 91.106.207.112:80 battletw.beget.tech tcp
RU 91.106.207.112:80 battletw.beget.tech tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp

Files

memory/2376-133-0x0000000000A70000-0x0000000000AC6000-memory.dmp

memory/2376-134-0x0000000007A60000-0x0000000007AFC000-memory.dmp

memory/2376-135-0x00000000080B0000-0x0000000008654000-memory.dmp

memory/2376-136-0x0000000007B00000-0x0000000007B92000-memory.dmp

memory/2376-137-0x0000000007A30000-0x0000000007A3A000-memory.dmp

memory/2376-138-0x0000000007D00000-0x0000000007D56000-memory.dmp

memory/2376-139-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/2376-142-0x0000000005EE0000-0x0000000005F46000-memory.dmp

C:\odt\RuntimeBroker.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

C:\Users\Admin\AppData\Local\Temp\TJ7YMgAEku.bat

MD5 d83fcecd6786ead9604fd45820f55c10
SHA1 8f20540d1a971110f20b1fd00f8c7c7a9cde9bd3
SHA256 4ed777c804c31df0ba67341808bc126e8164e53ec09ff044aae5f1bfdf5735a3
SHA512 659235b38abc105ea223ba3da2a82d0d7161a911b6dae31f1daaba72c4eec3974b37e1541b70f1ecfec15e072a5cffdff4407a3edcfc375caedd0ab56f0284a7

C:\odt\RuntimeBroker.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

C:\odt\RuntimeBroker.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

C:\Users\All Users\Idle.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

C:\Users\All Users\6ccacd8608530f

MD5 073b4026177f64bc5dcf973c2e9cde8f
SHA1 b9ab6de016dd6f9bf8fe90897bba9b37915eaf44
SHA256 e7f992e95b5d1050cb4e1405da8567fa513c1bfd2b0ec390b607397c2d2559a8
SHA512 f57cc091e6ce91e126a30ed4f36c919b78059da7e68df943575b916f85894399f472767c0c7d6c3224c360c2cabad31a6022d811bdaa9f92673913532142bb4d

C:\Users\Public\f3b6ecef712a24

MD5 cb97993e05a105bc8bb6925664f20ecd
SHA1 31326c204512fcddbf41f4d4865956e513c0c57c
SHA256 13e7c13cba6bfd0f38ae318b3e9701f2454cc465b0e38e02fd0122f7663edc72
SHA512 ba8ed27548a7d29c588266c41f372fae295523f0bc88558e341b2eb03b551223e8c260902819e9e07adade48d367e0df587b0c8516e80f7a15be486cf53f3555

C:\Users\Public\spoolsv.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

C:\Users\Public\Music\24dbde2999530e

MD5 3a957720e24eb61b512792318f49b7cb
SHA1 131e62f95e9f659fe38e1a7add67475d2b50cfc9
SHA256 780e64bb4ca666c7e21014b14218b39ec821e85f074cd2cb95d48add4dde8e83
SHA512 9b6a24995d1d329bc5432399b1454b9322b780d52d918a45a244930506183f4c50c17dea72f11afc7fa6970142dff54d4e13eaf3b8f4fb5318220afd7a41515b

C:\Users\Public\Music\WmiPrvSE.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

C:\Users\Admin\886983d96e3d3e

MD5 72eec52096b2c75f58c6be6ed09e5ad7
SHA1 e06cea168510c28811c10d2fe07e95f4b2a5c3ae
SHA256 5206b0935e9f4d2832cf7d1d7e2ca5fdfba9cdc8ed92e71f36657e9509117bca
SHA512 875e008a4ac02ae558c85c4f4a06a7b7fce118ffe98a684d838dfd4bf24f006a79dc99e042ab07e9cecaca6d4b4803c88f6032c521c8eb4277447b364f6d800d

C:\Users\Admin\csrss.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991

MD5 7b93aee8c1996a466672025adbcb60b4
SHA1 379df80d381965caf0593593ec060393bd1f1ab2
SHA256 93e47e74f838790334019f7db3c572e531fcba1b3139d6d4f4a75020abe026fa
SHA512 2556979b777a17e941d7c324e13ac7da32ab7f547338965a8708a04170f736ee3258385d02ac6f7d0b19e9c6e9cc4cf248b903d390fc7acaf25d04d2b0e70f4b

C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

C:\Users\Default\56085415360792

MD5 ec8d7b9bc65d3e7888c71690eb1554b8
SHA1 ad88963195d23a02500287cb761d7542434e6aa2
SHA256 f63685c23453555e694d531b03c66306c06850afb47022a0148e9f1949505162
SHA512 fb61bba06e35f5b9bbd2333237bc7a03046ddc82e9890d63cdc4622042000ceafae85c00c1a96953c7eed1742644331e4f023570bd42faf03ba77bce84541efd

C:\Users\Default\wininit.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe

MD5 a26ae5eb4e86ca54a1d338220318c43b
SHA1 ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256 fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512 0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

C:\Program Files (x86)\Microsoft.NET\RedistList\6cb0b6c459d5d3

MD5 4349513c8114ff75f4bbd07c4d1cc56f
SHA1 d5f5f1a0de34662728f6910369f320cc9aa362c5
SHA256 299dd89a5248761bec06e0f79ec3e533e5ef157e88fb5adc1f4e676b1e46daa2
SHA512 e6176584e14dd302f0ad1f616e830b0c73c1aff2ca472bff66c93dc74213b0cfb07ea74c96f69aa9a38b3a3323efe14f40a3d98b5c408fc0e67499c79e2a046d

C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat

MD5 0073dbb00341e9fb6f485eadbb258059
SHA1 f4784db159f188c6e0720c2f2f7d0b53a97a4e82
SHA256 1594512c5581f14cb6440efe04dc7db67226365edbd4f12bb8cb64986fb42ec1
SHA512 69e7b78788d9ab792ab31bdfd5504009a6c6dc5fc8b21e066e883e4019c39104e61097c13892ef709b0524454fe30d3a2f0c4e58b1793a28d70eb525e9a442fc

C:\odt\9e8d7a4ca61bd9

MD5 cf1c5e0cc5d03981f71df39bbd2b7fb0
SHA1 0c808e8e6793eafe9018323a4047143b093187a3
SHA256 db27bfb9cb363c02ba95fcccbc2d95736cbab23b51e911a397538706d2025c8d
SHA512 efdc16b1e4e3bd25f536cd14103fe677005413c764ad3d0b20d7781c89f8fe67e73bb61aa8a1848dc39f628975a8430aff6cb9514a53a5184204c56d3d0a1ab9