Malware Analysis Report

2024-10-10 12:52

Sample ID 240601-bv61esdf35
Target 2a0c47d8f5e14cfda0437c59c57fbce9.bin
SHA256 0de2359b17f08c6bb6c9dd20d2e61700013fa90bc63b813d5607ac6542cd0143
Tags
rat dcrat execution infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0de2359b17f08c6bb6c9dd20d2e61700013fa90bc63b813d5607ac6542cd0143

Threat Level: Known bad

The file 2a0c47d8f5e14cfda0437c59c57fbce9.bin was found to be: Known bad.

Malicious Activity Summary

rat dcrat execution infostealer persistence

DCRat payload

Dcrat family

Process spawned unexpected child process

DcRat

Modifies WinLogon for persistence

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 01:28

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 01:28

Reported

2024-06-01 01:31

Platform

win7-20240508-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\taskhost.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\", \"C:\\Users\\Public\\Libraries\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\taskhost.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\", \"C:\\Users\\Public\\Libraries\\wininit.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\taskhost.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\", \"C:\\Users\\Public\\Libraries\\wininit.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\taskhost.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\taskhost.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\", \"C:\\Users\\Public\\Libraries\\wininit.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\taskhost.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\", \"C:\\Users\\Public\\Libraries\\wininit.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\taskhost.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\taskhost.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\", \"C:\\Users\\Public\\Libraries\\wininit.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\DVD Maker\\de-DE\\taskhost.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Libraries\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Google\\Temp\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\DVD Maker\\de-DE\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\DVD Maker\\de-DE\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Google\\Temp\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Libraries\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Google\Temp\taskhost.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files\DVD Maker\de-DE\RCX49E3.tmp C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files\DVD Maker\de-DE\taskhost.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files (x86)\Google\Temp\taskhost.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files (x86)\Google\Temp\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files\DVD Maker\de-DE\taskhost.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files\DVD Maker\de-DE\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files (x86)\Google\Temp\RCX3FD0.tmp C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A
N/A N/A C:\Users\Public\Libraries\wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1644 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\cmd.exe
PID 1644 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\cmd.exe
PID 1644 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\cmd.exe
PID 1068 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1068 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1068 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1068 wrote to memory of 2304 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Libraries\wininit.exe
PID 1068 wrote to memory of 2304 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Libraries\wininit.exe
PID 1068 wrote to memory of 2304 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Libraries\wininit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe

"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\de-DE\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\de-DE\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\services.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\de-DE\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\services.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aNa3Lme8Pe.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Libraries\wininit.exe

"C:\Users\Public\Libraries\wininit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0913612.xsph.ru udp
RU 141.8.197.42:80 a0913612.xsph.ru tcp
RU 141.8.197.42:80 a0913612.xsph.ru tcp

Files

memory/1644-0-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

memory/1644-1-0x0000000000E20000-0x000000000101A000-memory.dmp

memory/1644-2-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

memory/1644-3-0x0000000000150000-0x000000000015E000-memory.dmp

memory/1644-4-0x0000000000160000-0x0000000000168000-memory.dmp

memory/1644-5-0x0000000000370000-0x000000000038C000-memory.dmp

memory/1644-6-0x0000000000450000-0x0000000000460000-memory.dmp

memory/1644-7-0x0000000000460000-0x0000000000476000-memory.dmp

memory/1644-8-0x0000000000480000-0x0000000000490000-memory.dmp

memory/1644-9-0x0000000000490000-0x000000000049C000-memory.dmp

memory/1644-10-0x0000000000620000-0x0000000000632000-memory.dmp

memory/1644-11-0x0000000000C00000-0x0000000000C0C000-memory.dmp

memory/1644-12-0x0000000000C90000-0x0000000000C9C000-memory.dmp

memory/1644-13-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

memory/1644-14-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

memory/1644-15-0x0000000000CB0000-0x0000000000CBE000-memory.dmp

memory/1644-17-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

memory/1644-16-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

memory/1644-18-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

memory/1644-20-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

memory/1644-19-0x0000000000E00000-0x0000000000E0A000-memory.dmp

memory/1644-21-0x0000000000E10000-0x0000000000E1C000-memory.dmp

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe

MD5 2a0c47d8f5e14cfda0437c59c57fbce9
SHA1 a1c37d6d20049b2bc1a1db1d99b4f5b7fcd9c2b0
SHA256 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400
SHA512 790702639348c58c99dcf4bd35d3b47bd544c7e4cd43fab90b5643f2917e3549e8e92a09d7aea3fed05766c086bdecdadf70c392289c46dc667e69cde73595d5

memory/1044-135-0x000000001B700000-0x000000001B9E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a7cc370b9c398f757e6515faa6c9b180
SHA1 58f0222803e84a044b9995740cc36768a7fde6e3
SHA256 7f89ebb4a00dbf482461d81229e6f60861a3a0bd20b7ff0fbd6705ff530ff5ef
SHA512 8b1ef5ba03be932588d15ddc28b928377bafe233e0eaefa26ce16dd5956e3e95e28f37ec3dcb31e33e43694fc3e023a140ce710f57d2fa38659e65c79f419ae9

memory/1044-142-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

memory/1644-143-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aNa3Lme8Pe.bat

MD5 f5f1c13ca054df640dc3466f165ec33f
SHA1 3cff6fbed26e750fb860233c172373710c9b8831
SHA256 15854401d8b416947eb50559b31a1490b09f8a2233dac8794fa8f16a82faaeb8
SHA512 a1425f0e9abcb08a0874870ff226ed18013dde033c62ed03932dc3808eeb07007fdb4a93277c134ebd74f09cda38f53a7cedd0ddc7c32729bde61172644ef573

memory/2304-161-0x00000000011A0000-0x000000000139A000-memory.dmp

memory/2304-162-0x0000000000A80000-0x0000000000A92000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 01:28

Reported

2024-06-01 01:31

Platform

win10v2004-20240426-en

Max time kernel

94s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\AdvancedInstallers\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A
N/A N/A C:\Recovery\WindowsRE\taskhostw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\taskhostw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Recovery\WindowsRE\taskhostw.exe
PID 2528 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Recovery\WindowsRE\taskhostw.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe

"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'

C:\Recovery\WindowsRE\taskhostw.exe

"C:\Recovery\WindowsRE\taskhostw.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 a0913612.xsph.ru udp
RU 141.8.197.42:80 a0913612.xsph.ru tcp
RU 141.8.197.42:80 a0913612.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2528-0-0x00007FFBFE473000-0x00007FFBFE475000-memory.dmp

memory/2528-1-0x0000000000010000-0x000000000020A000-memory.dmp

memory/2528-2-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp

memory/2528-3-0x0000000002430000-0x000000000243E000-memory.dmp

memory/2528-4-0x000000001AE20000-0x000000001AE28000-memory.dmp

memory/2528-5-0x000000001AE30000-0x000000001AE4C000-memory.dmp

memory/2528-7-0x000000001AE50000-0x000000001AE60000-memory.dmp

memory/2528-6-0x000000001B4F0000-0x000000001B540000-memory.dmp

memory/2528-8-0x000000001AE60000-0x000000001AE76000-memory.dmp

memory/2528-9-0x000000001AE80000-0x000000001AE90000-memory.dmp

memory/2528-11-0x000000001AEA0000-0x000000001AEB2000-memory.dmp

memory/2528-10-0x000000001AE90000-0x000000001AE9C000-memory.dmp

memory/2528-12-0x000000001BA70000-0x000000001BF98000-memory.dmp

memory/2528-13-0x000000001AED0000-0x000000001AEDC000-memory.dmp

memory/2528-14-0x000000001B540000-0x000000001B54C000-memory.dmp

memory/2528-15-0x000000001B650000-0x000000001B658000-memory.dmp

memory/2528-16-0x000000001B660000-0x000000001B66C000-memory.dmp

memory/2528-19-0x000000001B790000-0x000000001B79E000-memory.dmp

memory/2528-20-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp

memory/2528-21-0x000000001B7A0000-0x000000001B7AC000-memory.dmp

memory/2528-24-0x000000001B7C0000-0x000000001B7CC000-memory.dmp

memory/2528-23-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp

memory/2528-22-0x000000001B7B0000-0x000000001B7BA000-memory.dmp

memory/2528-18-0x000000001B780000-0x000000001B788000-memory.dmp

memory/2528-17-0x000000001B670000-0x000000001B67E000-memory.dmp

C:\Recovery\WindowsRE\winlogon.exe

MD5 2a0c47d8f5e14cfda0437c59c57fbce9
SHA1 a1c37d6d20049b2bc1a1db1d99b4f5b7fcd9c2b0
SHA256 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400
SHA512 790702639348c58c99dcf4bd35d3b47bd544c7e4cd43fab90b5643f2917e3549e8e92a09d7aea3fed05766c086bdecdadf70c392289c46dc667e69cde73595d5

C:\Recovery\WindowsRE\taskhostw.exe

MD5 0e4ed8c20500f48a6f7abd5acf6847d9
SHA1 93284dfe2eb8b9b19321418ab2924fbb32640cc0
SHA256 e3a4b9b9afa0bf83d4a609ac03b0e7edfa7068b033e4e8fdf489aa3e670aa6e2
SHA512 b4f9e68c959e67f59c1fb0a0960ba975b8d5a22a6298dc5ac0521e72e89cf304fce52d153996b84ec599c97fefe767ad07504da4c0785341c0cc315e5e19d1a7

memory/2588-98-0x0000020DD5830000-0x0000020DD5852000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x00xsszs.wtl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

memory/1268-139-0x0000000000350000-0x000000000054A000-memory.dmp

memory/2528-140-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp

memory/1268-141-0x000000001B7F0000-0x000000001B802000-memory.dmp