Malware Analysis Report

2025-06-15 19:46

Sample ID 240324-xa46zseg73
Target 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848
SHA256 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848
Tags
rat dcrat infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848

Threat Level: Known bad

The file 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848 was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer persistence

DCRat payload

Dcrat family

Process spawned unexpected child process

DcRat

Modifies WinLogon for persistence

DCRat payload

Detects executables packed with SmartAssembly

Executes dropped EXE

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-24 18:39

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-24 18:39

Reported

2024-03-24 18:42

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\", \"C:\\Windows\\Temp\\Crashpad\\services.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\", \"C:\\Users\\Public\\Documents\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Documents\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Temp\\Crashpad\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Mail\\it-IT\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Google\\CrashReports\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Temp\\Crashpad\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Google\\CrashReports\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Videos\\Sample Videos\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Documents\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\ja-JP\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Google\CrashReports\RCX85CC.tmp C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File opened for modification C:\Program Files (x86)\Google\CrashReports\lsass.exe C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File created C:\Program Files\Windows Mail\it-IT\csrss.exe C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\lsass.exe C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\RCX7EB7.tmp C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File created C:\Program Files\Windows Mail\it-IT\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File opened for modification C:\Program Files\Windows Mail\it-IT\csrss.exe C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File opened for modification C:\Program Files\Windows Mail\it-IT\RCX7C94.tmp C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\RCX834B.tmp C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Performance\WinSAT\DataStore\lsass.exe C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File created C:\Windows\Performance\WinSAT\DataStore\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File created C:\Windows\CSC\v2.0.6\winlogon.exe C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File opened for modification C:\Windows\Performance\WinSAT\DataStore\RCX785E.tmp C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
File opened for modification C:\Windows\Performance\WinSAT\DataStore\lsass.exe C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A
N/A N/A C:\Program Files\Windows Mail\it-IT\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\cmd.exe
PID 2200 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\cmd.exe
PID 2200 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe C:\Windows\System32\cmd.exe
PID 968 wrote to memory of 1888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 968 wrote to memory of 1888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 968 wrote to memory of 1888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 968 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Mail\it-IT\csrss.exe
PID 968 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Mail\it-IT\csrss.exe
PID 968 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Mail\it-IT\csrss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe

"C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Documents\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\it-IT\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\lsass.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j1kG62r9vx.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Mail\it-IT\csrss.exe

"C:\Program Files\Windows Mail\it-IT\csrss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cz13602.tw1.ru udp
RU 92.53.123.166:80 cz13602.tw1.ru tcp
US 8.8.8.8:53 vh316.timeweb.ru udp
RU 92.53.123.166:443 vh316.timeweb.ru tcp
RU 92.53.123.166:443 vh316.timeweb.ru tcp

Files

memory/2200-0-0x0000000000380000-0x000000000058A000-memory.dmp

memory/2200-1-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

memory/2200-2-0x000000001B320000-0x000000001B3A0000-memory.dmp

memory/2200-3-0x0000000000340000-0x000000000034E000-memory.dmp

memory/2200-4-0x0000000000350000-0x000000000035E000-memory.dmp

memory/2200-5-0x0000000000360000-0x0000000000368000-memory.dmp

memory/2200-6-0x0000000000600000-0x000000000061C000-memory.dmp

memory/2200-7-0x0000000000370000-0x0000000000380000-memory.dmp

memory/2200-8-0x00000000006A0000-0x00000000006B6000-memory.dmp

memory/2200-9-0x00000000006C0000-0x00000000006D0000-memory.dmp

memory/2200-10-0x00000000006D0000-0x00000000006DC000-memory.dmp

memory/2200-11-0x00000000006F0000-0x0000000000702000-memory.dmp

memory/2200-12-0x00000000008A0000-0x00000000008AC000-memory.dmp

memory/2200-13-0x0000000002120000-0x000000000212C000-memory.dmp

memory/2200-14-0x0000000002100000-0x0000000002108000-memory.dmp

memory/2200-15-0x00000000020E0000-0x00000000020EC000-memory.dmp

memory/2200-16-0x00000000020F0000-0x00000000020FE000-memory.dmp

memory/2200-17-0x0000000002110000-0x0000000002118000-memory.dmp

memory/2200-19-0x0000000002130000-0x000000000213E000-memory.dmp

memory/2200-18-0x000000001B320000-0x000000001B3A0000-memory.dmp

memory/2200-20-0x0000000002140000-0x000000000214C000-memory.dmp

memory/2200-21-0x0000000002150000-0x000000000215A000-memory.dmp

memory/2200-22-0x0000000002160000-0x000000000216C000-memory.dmp

memory/2200-31-0x000000001B320000-0x000000001B3A0000-memory.dmp

C:\Program Files\Windows Mail\it-IT\csrss.exe

MD5 03072d38c3624e9d7d83016a9069b2bd
SHA1 b6bc417dbb785265bbfdec6f5c8cb4b6928c1c2b
SHA256 28b4fe706983dca60bd9cb0b166710478c7a4ed12cb05d78a9b18b7c49891848
SHA512 f5300200abd8bec5d317f42617f90edd4243a9f4bd6aee05d61d72d331a4f71a13f7b118b49b9df8152bdf5b3cb6ea5711a0406b2ae5979d6579a8a2b75b2710

memory/2200-35-0x000000001B320000-0x000000001B3A0000-memory.dmp

memory/2200-51-0x000000001B320000-0x000000001B3A0000-memory.dmp

memory/2200-66-0x000000001B320000-0x000000001B3A0000-memory.dmp

memory/2200-81-0x000000001B320000-0x000000001B3A0000-memory.dmp

memory/2200-88-0x000000001B320000-0x000000001B3A0000-memory.dmp

memory/2200-102-0x000000001B320000-0x000000001B3A0000-memory.dmp

memory/2200-110-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

memory/2200-111-0x000000001B320000-0x000000001B3A0000-memory.dmp

memory/948-126-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2671fb1e9f68ecde59ee95c2a1067724
SHA1 d236555ce158c864745dab9cf02bddc9ac09ba61
SHA256 b4293fe18fd0c78188e10af094b41d36030ad1e4e09594514c37cef4a46c4b83
SHA512 94cfb328010f1a1b15122ab4fc701382d0fe80d61c81015f954b406e33d91672b5ea11f308fd5f78b7e744b61fadb5251943e819fe578db1cf614d81a3640d52

memory/948-127-0x0000000002480000-0x0000000002488000-memory.dmp

memory/2200-125-0x000000001B320000-0x000000001B3A0000-memory.dmp

memory/2200-167-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

memory/1444-166-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp

memory/1444-168-0x0000000002740000-0x00000000027C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\j1kG62r9vx.bat

MD5 cee18913801ef5a64e8266e64ba6c898
SHA1 c65450c201ba59a4c2fec8e5e44ae1f51eba19cc
SHA256 8cde01e053a0fb1ce76f08c39c564b23187e2b4a9cbeaa894e1fa082e5480ebc
SHA512 890d27b8ade33aee52ef5134b71aa7dcc65fdf3cc2aedd89b1f486e0c7984755fc1b294d808e7dc575715dceff2bf176c586e2c6158ac6e89b4cfc5d84a3228c

memory/1444-170-0x0000000002740000-0x00000000027C0000-memory.dmp

memory/948-171-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp

memory/948-172-0x00000000028A0000-0x0000000002920000-memory.dmp

memory/948-173-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp

memory/948-174-0x00000000028A0000-0x0000000002920000-memory.dmp

memory/948-175-0x00000000028A0000-0x0000000002920000-memory.dmp

memory/2408-176-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp

memory/2408-177-0x0000000002600000-0x0000000002680000-memory.dmp

memory/2408-178-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp

memory/2408-180-0x0000000002600000-0x0000000002680000-memory.dmp

memory/2408-179-0x0000000002600000-0x0000000002680000-memory.dmp

memory/1700-181-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp

memory/1700-182-0x0000000002840000-0x00000000028C0000-memory.dmp

memory/1700-183-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp

memory/1700-184-0x0000000002840000-0x00000000028C0000-memory.dmp

memory/1444-186-0x0000000002740000-0x00000000027C0000-memory.dmp

memory/948-187-0x00000000028A0000-0x0000000002920000-memory.dmp

memory/1700-185-0x0000000002840000-0x00000000028C0000-memory.dmp

memory/1444-189-0x0000000002740000-0x00000000027C0000-memory.dmp

memory/1444-188-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp

memory/2408-190-0x0000000002600000-0x0000000002680000-memory.dmp

memory/1700-191-0x0000000002840000-0x00000000028C0000-memory.dmp

memory/948-192-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp

memory/1700-193-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp

C:\Program Files\Windows Mail\it-IT\csrss.exe

MD5 d7c82ee2fcf09658dc75abb4c3b307ef
SHA1 caf69ffac1e03bb0e0716e03310266af526c5aea
SHA256 53e6c84280f40dff864dcd565916bf5377135c2d53a66cf3c52f5687b86ef0c4
SHA512 66f8bbecc9f6ba5204e3f135184ada51258a0629e23486e681c2b6a01d22f72d0b96de9cfa7165884c4d22bec17b1fa6efb2c33ccd218c73f56ba4377491e441

memory/2408-195-0x000007FEEC370000-0x000007FEECD0D000-memory.dmp

memory/1972-197-0x00000000000A0000-0x00000000002AA000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar2F71.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-24 18:39

Reported

2024-03-24 18:40

Platform

win10v2004-20240226-en

Max time network

3s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp

Files

N/A