Malware Analysis Report

2024-10-10 12:52

Sample ID 240601-da7gkaga55
Target 422c7c22a4e94de28a9d706cb882432bc1d250a9bde13754b994b252bca37aed
SHA256 422c7c22a4e94de28a9d706cb882432bc1d250a9bde13754b994b252bca37aed
Tags
rat dcrat execution infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

422c7c22a4e94de28a9d706cb882432bc1d250a9bde13754b994b252bca37aed

Threat Level: Known bad

The file 422c7c22a4e94de28a9d706cb882432bc1d250a9bde13754b994b252bca37aed was found to be: Known bad.

Malicious Activity Summary

rat dcrat execution infostealer persistence

Modifies WinLogon for persistence

DCRat payload

DcRat

Process spawned unexpected child process

Dcrat family

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 02:49

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 02:49

Reported

2024-06-01 02:51

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\sppsvc.exe\", \"C:\\Windows\\PLA\\lsm.exe\", \"C:\\Windows\\AppCompat\\csrss.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\winlogon.exe\", \"C:\\Program Files\\DVD Maker\\ja-JP\\Idle.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\sppsvc.exe\", \"C:\\Windows\\PLA\\lsm.exe\", \"C:\\Windows\\AppCompat\\csrss.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\winlogon.exe\", \"C:\\Program Files\\DVD Maker\\ja-JP\\Idle.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\", \"C:\\Windows\\L2Schemas\\System.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\sppsvc.exe\", \"C:\\Windows\\PLA\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\sppsvc.exe\", \"C:\\Windows\\PLA\\lsm.exe\", \"C:\\Windows\\AppCompat\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\sppsvc.exe\", \"C:\\Windows\\PLA\\lsm.exe\", \"C:\\Windows\\AppCompat\\csrss.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\sppsvc.exe\", \"C:\\Windows\\PLA\\lsm.exe\", \"C:\\Windows\\AppCompat\\csrss.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\winlogon.exe\", \"C:\\Program Files\\DVD Maker\\ja-JP\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\sppsvc.exe\", \"C:\\Windows\\PLA\\lsm.exe\", \"C:\\Windows\\AppCompat\\csrss.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\winlogon.exe\", \"C:\\Program Files\\DVD Maker\\ja-JP\\Idle.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\", \"C:\\Windows\\L2Schemas\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Documents\\My Videos\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\L2Schemas\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\PLA\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\AppCompat\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\DVD Maker\\ja-JP\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\PLA\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\L2Schemas\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\AppCompat\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Documents\\My Videos\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\DVD Maker\\ja-JP\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\RCX1E3E.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\DVD Maker\ja-JP\RCX2728.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\Idle.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX1A37.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\DVD Maker\ja-JP\Idle.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\L2Schemas\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Windows\PLA\lsm.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Windows\AppCompat\csrss.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Windows\L2Schemas\System.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\PLA\101b941d020240 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\L2Schemas\System.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\AppCompat\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Windows\PLA\RCX20AF.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Windows\AppCompat\RCX22B3.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Windows\L2Schemas\RCX2B30.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\PLA\lsm.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\AppCompat\csrss.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe
PID 1936 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe
PID 1936 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe
PID 1936 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe
PID 1936 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe

"C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\PLA\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppCompat\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppCompat\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Videos\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\ja-JP\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\ja-JP\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\ja-JP\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0913612.xsph.ru udp
RU 141.8.197.42:80 a0913612.xsph.ru tcp
RU 141.8.197.42:80 a0913612.xsph.ru tcp

Files

memory/1936-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/1936-1-0x0000000000A20000-0x0000000000C1A000-memory.dmp

memory/1936-2-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/1936-3-0x00000000005D0000-0x00000000005DE000-memory.dmp

memory/1936-4-0x00000000005E0000-0x00000000005E8000-memory.dmp

memory/1936-5-0x00000000022A0000-0x00000000022BC000-memory.dmp

memory/1936-6-0x0000000002100000-0x0000000002110000-memory.dmp

memory/1936-7-0x000000001ABA0000-0x000000001ABB6000-memory.dmp

memory/1936-8-0x00000000022C0000-0x00000000022D0000-memory.dmp

memory/1936-9-0x000000001A7C0000-0x000000001A7CC000-memory.dmp

memory/1936-10-0x000000001ABC0000-0x000000001ABD2000-memory.dmp

memory/1936-11-0x000000001ABD0000-0x000000001ABDC000-memory.dmp

memory/1936-12-0x000000001AD00000-0x000000001AD0C000-memory.dmp

memory/1936-13-0x000000001AD50000-0x000000001AD58000-memory.dmp

memory/1936-14-0x000000001AD10000-0x000000001AD1C000-memory.dmp

memory/1936-15-0x000000001AD20000-0x000000001AD2E000-memory.dmp

memory/1936-16-0x000000001AD30000-0x000000001AD38000-memory.dmp

memory/1936-17-0x000000001AD40000-0x000000001AD4E000-memory.dmp

memory/1936-18-0x000000001AD60000-0x000000001AD6C000-memory.dmp

memory/1936-19-0x000000001AD70000-0x000000001AD7A000-memory.dmp

memory/1936-20-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/1936-21-0x000000001AD80000-0x000000001AD8C000-memory.dmp

C:\Windows\PLA\lsm.exe

MD5 29d80d247dfb4bd92b1bcfd7a7695d36
SHA1 0284cb27c754537c0440d9341a6fd07b0be1fa42
SHA256 19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963
SHA512 5b25f67c590204cb293e46e0eb10f47e0b02a3c3db1e6537c8a6414b598d4811c68c96a39b18391f750cf72fab4621eaec51fe4e4cc6b11c220823717e37c1e0

C:\Windows\PLA\RCX20AF.tmp

MD5 218eafe87b0d7ba5b74db06f60623619
SHA1 c417639691fb9b8f709b1d4e2051c5e4dc00f4f7
SHA256 a5e71bbfb07dcd189280543d9849e5f5687dae4d5670dd54bf4961e3e6f6bad2
SHA512 a6667d48295ff5f5c0bb7c7a4e7ce2c5d17c3a7ce58703832e70fec3ac7ec0b72d2f20e34dd3afd89472d1c0bd96494b9ed7a7b2a44334df443976fae075f69a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UH4NADFDK3KI1R83GK9U.temp

MD5 e4bbed73fd250b1f55e484c744a82708
SHA1 ba9c82d100dae5b9fca8b907f937bd8de41e7768
SHA256 6cf9060766d52f82e88e4aad598e26a10115f74416166c31472ea399f06b4125
SHA512 f45380cb64ff0593e131ce2878d4d6777202501db9ef0e97b0ab6e463bb51affdd70972e965de6e6058f3a76b4c63af058e41c0e275d6906cbb256d33dcc5346

memory/3060-131-0x000000001B670000-0x000000001B952000-memory.dmp

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\sppsvc.exe

MD5 f20f0971b6e697a04728d1fa8ae70170
SHA1 6c235733c119a7df4026924eaaf01b7ce047ff97
SHA256 f527ae1b6e27fd0d3ae9e95650e1863300fccca29b50d8e4e0a7597bf8838bc9
SHA512 8c22e0c0c2e013f8f00aa7557e65d46e0733b3b55ac1a96626d705b62a321069af515a6742f3053892ceb5578bbf86b04116328ba1828e69686c8e5596f47df8

memory/2636-139-0x0000000000190000-0x000000000038A000-memory.dmp

memory/3060-132-0x0000000001E60000-0x0000000001E68000-memory.dmp

memory/1936-169-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2636-190-0x00000000008E0000-0x00000000008F2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 02:49

Reported

2024-06-01 02:51

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\RuntimeBroker.exe\", \"C:\\Program Files\\Google\\Chrome\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\RuntimeBroker.exe\", \"C:\\Program Files\\Google\\Chrome\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\RuntimeBroker.exe\", \"C:\\Program Files\\Google\\Chrome\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Mozilla Firefox\\browser\\VisualElements\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Google\\Chrome\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Google\\Chrome\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\RCX4B16.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCX4D1A.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Google\Chrome\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Google\Chrome\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\RCX4680.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\Google\Chrome\RCX4894.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\Google\Chrome\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1424 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe
PID 1424 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe

"C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Modules\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\VisualElements\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\unsecapp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'

C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 a0913612.xsph.ru udp
RU 141.8.197.42:80 a0913612.xsph.ru tcp
RU 141.8.197.42:80 a0913612.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp

Files

memory/1424-0-0x00007FFA3AA53000-0x00007FFA3AA55000-memory.dmp

memory/1424-1-0x0000000000980000-0x0000000000B7A000-memory.dmp

memory/1424-2-0x00007FFA3AA50000-0x00007FFA3B511000-memory.dmp

memory/1424-3-0x0000000001450000-0x000000000145E000-memory.dmp

memory/1424-4-0x0000000002C60000-0x0000000002C68000-memory.dmp

memory/1424-5-0x0000000002CD0000-0x0000000002CEC000-memory.dmp

memory/1424-6-0x000000001BE50000-0x000000001BEA0000-memory.dmp

memory/1424-7-0x0000000002C70000-0x0000000002C80000-memory.dmp

memory/1424-9-0x0000000002CF0000-0x0000000002D00000-memory.dmp

memory/1424-8-0x000000001BE00000-0x000000001BE16000-memory.dmp

memory/1424-10-0x0000000002D10000-0x0000000002D1C000-memory.dmp

memory/1424-11-0x000000001BE20000-0x000000001BE32000-memory.dmp

memory/1424-13-0x000000001BEA0000-0x000000001BEAC000-memory.dmp

memory/1424-12-0x000000001C3D0000-0x000000001C8F8000-memory.dmp

memory/1424-14-0x000000001BEB0000-0x000000001BEBC000-memory.dmp

memory/1424-15-0x000000001C110000-0x000000001C118000-memory.dmp

memory/1424-16-0x000000001C0C0000-0x000000001C0CC000-memory.dmp

memory/1424-19-0x000000001C140000-0x000000001C14E000-memory.dmp

memory/1424-18-0x000000001C130000-0x000000001C138000-memory.dmp

memory/1424-17-0x000000001C120000-0x000000001C12E000-memory.dmp

memory/1424-23-0x000000001C170000-0x000000001C17C000-memory.dmp

memory/1424-22-0x000000001C160000-0x000000001C16A000-memory.dmp

memory/1424-21-0x00007FFA3AA50000-0x00007FFA3B511000-memory.dmp

memory/1424-20-0x000000001C150000-0x000000001C15C000-memory.dmp

memory/1424-26-0x00007FFA3AA50000-0x00007FFA3B511000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\VisualElements\RuntimeBroker.exe

MD5 29d80d247dfb4bd92b1bcfd7a7695d36
SHA1 0284cb27c754537c0440d9341a6fd07b0be1fa42
SHA256 19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963
SHA512 5b25f67c590204cb293e46e0eb10f47e0b02a3c3db1e6537c8a6414b598d4811c68c96a39b18391f750cf72fab4621eaec51fe4e4cc6b11c220823717e37c1e0

memory/1692-116-0x0000022FF1C40000-0x0000022FF1C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nomghjwt.500.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1424-173-0x00007FFA3AA50000-0x00007FFA3B511000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2