Malware Analysis Report

2024-10-10 12:52

Sample ID 240601-da6j9sga53
Target 0de2359b17f08c6bb6c9dd20d2e61700013fa90bc63b813d5607ac6542cd0143
SHA256 0de2359b17f08c6bb6c9dd20d2e61700013fa90bc63b813d5607ac6542cd0143
Tags
rat dcrat execution infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0de2359b17f08c6bb6c9dd20d2e61700013fa90bc63b813d5607ac6542cd0143

Threat Level: Known bad

The file 0de2359b17f08c6bb6c9dd20d2e61700013fa90bc63b813d5607ac6542cd0143 was found to be: Known bad.

Malicious Activity Summary

rat dcrat execution infostealer persistence

DcRat

DCRat payload

Modifies WinLogon for persistence

Dcrat family

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 02:49

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 02:49

Reported

2024-06-01 02:51

Platform

win7-20240508-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\MSBuild\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\MSBuild\smss.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\services.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\smss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\services.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\services.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\services.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\smss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Windows\\TAPI\\dwm.exe\", \"C:\\Windows\\Setup\\State\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\services.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\smss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\services.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\smss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Windows\\TAPI\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\Music\\Sample Music\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\TAPI\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Setup\\State\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\TAPI\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\Music\\Sample Music\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Setup\\State\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\MSBuild\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\MSBuild\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\en-US\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\Users\\Public\\Videos\\Sample Videos\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\en-US\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\RCX2F5B.tmp C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\RCX3BDF.tmp C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files (x86)\MSBuild\smss.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\smss.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files (x86)\MSBuild\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files\Internet Explorer\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Setup\State\winlogon.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Windows\AppPatch\AppPatch64\RCX4862.tmp C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Windows\TAPI\dwm.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Windows\Setup\State\winlogon.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Windows\Boot\EFI\ko-KR\explorer.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Windows\TAPI\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Windows\TAPI\dwm.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Windows\Setup\State\RCX4CD7.tmp C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Windows\AppPatch\AppPatch64\dllhost.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Windows\AppPatch\AppPatch64\dllhost.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Windows\TAPI\RCX4AD3.tmp C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Windows\AppPatch\AppPatch64\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Windows\Setup\State\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe
PID 2976 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe
PID 2976 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe

"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\Sample Music\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\AppPatch64\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\AppPatch\AppPatch64\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\AppPatch\AppPatch64\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\TAPI\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Setup\State\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\AppPatch64\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\winlogon.exe'

C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe

"C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0913612.xsph.ru udp
RU 141.8.197.42:80 a0913612.xsph.ru tcp
RU 141.8.197.42:80 a0913612.xsph.ru tcp

Files

memory/2976-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

memory/2976-1-0x0000000000AB0000-0x0000000000CAA000-memory.dmp

memory/2976-2-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

memory/2976-3-0x0000000000440000-0x000000000044E000-memory.dmp

memory/2976-4-0x0000000000450000-0x0000000000458000-memory.dmp

memory/2976-5-0x0000000000460000-0x000000000047C000-memory.dmp

memory/2976-6-0x0000000000680000-0x0000000000690000-memory.dmp

memory/2976-7-0x00000000022C0000-0x00000000022D6000-memory.dmp

memory/2976-8-0x0000000000690000-0x00000000006A0000-memory.dmp

memory/2976-9-0x00000000009D0000-0x00000000009DC000-memory.dmp

memory/2976-10-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

memory/2976-11-0x0000000002300000-0x000000000230C000-memory.dmp

memory/2976-12-0x0000000002310000-0x000000000231C000-memory.dmp

memory/2976-14-0x0000000002330000-0x000000000233C000-memory.dmp

memory/2976-13-0x0000000002320000-0x0000000002328000-memory.dmp

memory/2976-15-0x00000000024A0000-0x00000000024AE000-memory.dmp

memory/2976-16-0x00000000024B0000-0x00000000024B8000-memory.dmp

memory/2976-17-0x000000001A940000-0x000000001A94E000-memory.dmp

memory/2976-18-0x000000001A950000-0x000000001A95C000-memory.dmp

memory/2976-19-0x000000001A9E0000-0x000000001A9EA000-memory.dmp

memory/2976-20-0x000000001A9F0000-0x000000001A9FC000-memory.dmp

memory/2976-21-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsass.exe

MD5 2a0c47d8f5e14cfda0437c59c57fbce9
SHA1 a1c37d6d20049b2bc1a1db1d99b4f5b7fcd9c2b0
SHA256 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400
SHA512 790702639348c58c99dcf4bd35d3b47bd544c7e4cd43fab90b5643f2917e3549e8e92a09d7aea3fed05766c086bdecdadf70c392289c46dc667e69cde73595d5

C:\Windows\Setup\State\winlogon.exe

MD5 f1a506183dcb001c72b644f5b2c1b9a5
SHA1 f5d463cadf72764829af7926b43cdffa99275672
SHA256 0ae87b9b0dd457ba043a2f86f5321a56b854b2cdb6fd9c2bba8abd9239d8fa55
SHA512 2221b8a48fd43353e646055bfb9297c58d2e21ec8c3b4986298645adfc36fd445a9bada6fced95c954a835e3315a00f8bf0c13422c3f890e1703af2126c1df1a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 de764633ed11d0b919fa4c209be43d98
SHA1 7535b1388257533cf61ade286977d69a827c4b46
SHA256 82f7d7612520353f1589f43a088a156bbe085bd175897bd7cc8a91b80398a3d4
SHA512 b521a79a86f3f3259b778231c52e2896f28ed417fab6f713989587bae276a6dfe3cb20b6820d5bbc31509ab69e27f68513313dfabcea6ccd71e896b402d95fa1

memory/2704-167-0x000000001B670000-0x000000001B952000-memory.dmp

memory/2576-168-0x0000000002890000-0x0000000002898000-memory.dmp

memory/2028-233-0x0000000000190000-0x000000000038A000-memory.dmp

memory/2976-234-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

memory/2028-240-0x0000000002190000-0x00000000021A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 02:49

Reported

2024-06-01 02:51

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\services.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\services.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\wininit.exe\", \"C:\\Windows\\SchCache\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\services.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\wininit.exe\", \"C:\\Windows\\SchCache\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\WindowsRE\Registry.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\SchCache\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows NT\\Accessories\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\SchCache\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\Program Files\\Windows Portable Devices\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\Program Files\\Windows Portable Devices\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Microsoft\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows NT\\Accessories\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\RCX5FA6.tmp C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files (x86)\Microsoft\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX5D92.tmp C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\upfc.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files (x86)\Internet Explorer\es-ES\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\es-ES\RCX63AF.tmp C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files (x86)\Microsoft\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files (x86)\Internet Explorer\es-ES\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\RCX67B9.tmp C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\en-US\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files\Windows Portable Devices\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\RCX61AB.tmp C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\RCX69CD.tmp C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\wininit.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCX6DF5.tmp C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\upfc.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files\Windows Portable Devices\d37dbfb5f5e1cb C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files\Windows NT\Accessories\wininit.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Program Files\Windows NT\Accessories\56085415360792 C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\es-ES\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SchCache\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File created C:\Windows\SchCache\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Windows\SchCache\RCX6BE1.tmp C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
File opened for modification C:\Windows\SchCache\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4912 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Recovery\WindowsRE\Registry.exe
PID 4912 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe C:\Recovery\WindowsRE\Registry.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe

"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\SchCache\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\es-ES\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'

C:\Recovery\WindowsRE\Registry.exe

"C:\Recovery\WindowsRE\Registry.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 a0913612.xsph.ru udp
RU 141.8.197.42:80 a0913612.xsph.ru tcp
RU 141.8.197.42:80 a0913612.xsph.ru tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/4912-0-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp

memory/4912-1-0x00000000006F0000-0x00000000008EA000-memory.dmp

memory/4912-2-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/4912-3-0x0000000001160000-0x000000000116E000-memory.dmp

memory/4912-4-0x000000001B4F0000-0x000000001B4F8000-memory.dmp

memory/4912-5-0x000000001B520000-0x000000001B53C000-memory.dmp

memory/4912-6-0x000000001BBE0000-0x000000001BC30000-memory.dmp

memory/4912-8-0x000000001B540000-0x000000001B556000-memory.dmp

memory/4912-7-0x000000001B500000-0x000000001B510000-memory.dmp

memory/4912-9-0x000000001B560000-0x000000001B570000-memory.dmp

memory/4912-10-0x000000001B570000-0x000000001B57C000-memory.dmp

memory/4912-11-0x000000001BB90000-0x000000001BBA2000-memory.dmp

memory/4912-12-0x000000001C160000-0x000000001C688000-memory.dmp

memory/4912-13-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

memory/4912-14-0x000000001BBD0000-0x000000001BBDC000-memory.dmp

memory/4912-15-0x000000001BD30000-0x000000001BD38000-memory.dmp

memory/4912-17-0x000000001BD40000-0x000000001BD4C000-memory.dmp

memory/4912-16-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/4912-20-0x000000001BE70000-0x000000001BE7E000-memory.dmp

memory/4912-19-0x000000001BE60000-0x000000001BE68000-memory.dmp

memory/4912-22-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/4912-21-0x000000001BE80000-0x000000001BE8C000-memory.dmp

memory/4912-23-0x000000001BE90000-0x000000001BE9A000-memory.dmp

memory/4912-18-0x000000001BD50000-0x000000001BD5E000-memory.dmp

memory/4912-24-0x000000001BEA0000-0x000000001BEAC000-memory.dmp

C:\Recovery\WindowsRE\Registry.exe

MD5 2a0c47d8f5e14cfda0437c59c57fbce9
SHA1 a1c37d6d20049b2bc1a1db1d99b4f5b7fcd9c2b0
SHA256 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400
SHA512 790702639348c58c99dcf4bd35d3b47bd544c7e4cd43fab90b5643f2917e3549e8e92a09d7aea3fed05766c086bdecdadf70c392289c46dc667e69cde73595d5

memory/868-165-0x00000219037D0000-0x00000219037F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4tcmvhop.m4a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4912-258-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c47b3f4e68eebd47e9332eebfd2dd4e
SHA1 67f0b143336d7db7b281ed3de5e877fa87261834
SHA256 8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA512 0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10e081d22e02f2f8d7ab5e3fb33079bb
SHA1 0eeaa68bb6ef9e2083860ac526e8c99b6659d90a
SHA256 c31407b25ce1bd518a4540e44299000d97a3611422a90322c7979f997b1c1317
SHA512 6094a4f9e8d6b00f0a8d96b5c1b8b7dd9d72ea942e247d374ed60b7e0116e9bff571d0ecc085c5c1b05e0868d251819f1c48eaf4444503db37c80c070ae98782