Malware Analysis Report

2024-10-10 12:49

Sample ID 240603-d7gmeabc56
Target Nursultan.exe
SHA256 cf1f6eb66912ff5ad30f8940accdb1df9bb2f8f8cdf3f8d45a4febd48c5641b9
Tags
rat dcrat bootkit infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf1f6eb66912ff5ad30f8940accdb1df9bb2f8f8cdf3f8d45a4febd48c5641b9

Threat Level: Known bad

The file Nursultan.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat bootkit infostealer persistence

DcRat

Modifies WinLogon for persistence

Process spawned unexpected child process

DCRat payload

Dcrat family

DCRat payload

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 03:38

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 03:38

Reported

2024-06-03 03:41

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\L2Schemas\System.exe C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\L2Schemas\27d1bcfc3c54e0 C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\L2Schemas\\System.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\L2Schemas\\System.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\es-ES\\sppsvc.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\L2Schemas\\System.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\es-ES\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\spoolsv.exe\", \"C:\\Windows\\addins\\csrss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\L2Schemas\\System.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\es-ES\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\spoolsv.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Users\\Admin\\Searches\\spoolsv.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\L2Schemas\\System.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\es-ES\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\spoolsv.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Users\\Admin\\Searches\\spoolsv.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\hy\\LC_MESSAGES\\audiodg.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\csrss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\L2Schemas\\System.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\es-ES\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\spoolsv.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Users\\Admin\\Searches\\spoolsv.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\hy\\LC_MESSAGES\\audiodg.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\csrss.exe\", \"C:\\Program Files\\7-Zip\\smss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\L2Schemas\\System.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\es-ES\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\spoolsv.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Users\\Admin\\Searches\\spoolsv.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\hy\\LC_MESSAGES\\audiodg.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\csrss.exe\", \"C:\\Program Files\\7-Zip\\smss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\wininit.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\Idle.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\L2Schemas\\System.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\L2Schemas\\System.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\es-ES\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\spoolsv.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\L2Schemas\\System.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\es-ES\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\spoolsv.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Default User\\winlogon.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\L2Schemas\\System.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\es-ES\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\spoolsv.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Users\\Admin\\Searches\\spoolsv.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\hy\\LC_MESSAGES\\audiodg.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\L2Schemas\\System.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\es-ES\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\spoolsv.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Users\\Admin\\Searches\\spoolsv.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\hy\\LC_MESSAGES\\audiodg.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\csrss.exe\", \"C:\\Program Files\\7-Zip\\smss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\wininit.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\L2Schemas\\System.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\es-ES\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\spoolsv.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Users\\Admin\\Searches\\spoolsv.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\hy\\LC_MESSAGES\\audiodg.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\csrss.exe\", \"C:\\Program Files\\7-Zip\\smss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\wininit.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\spoolsv.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\L2Schemas\\System.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\es-ES\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\spoolsv.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Users\\Admin\\Searches\\spoolsv.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\hy\\LC_MESSAGES\\audiodg.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\csrss.exe\", \"C:\\Program Files\\7-Zip\\smss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\Idle.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\L2Schemas\\System.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\", \"C:\\Program Files\\Microsoft Games\\More Games\\es-ES\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\spoolsv.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Users\\Admin\\Searches\\spoolsv.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\hy\\LC_MESSAGES\\audiodg.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\csrss.exe\", \"C:\\Program Files\\7-Zip\\smss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\ProviderInto\blocksurrogate.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\hy\\LC_MESSAGES\\audiodg.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\7-Zip\\smss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\L2Schemas\\System.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\hy\\LC_MESSAGES\\audiodg.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\MSOCache\PetyaFix_2_0_766_127.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\7-Zip\\smss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\Idle.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\smss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\Searches\\spoolsv.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\Searches\\spoolsv.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\csrss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\addins\\csrss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\Idle.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\L2Schemas\\System.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\spoolsv.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\Idle.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Microsoft Games\\More Games\\es-ES\\sppsvc.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\spoolsv.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\csrss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\csrss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\Idle.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Microsoft Games\\More Games\\es-ES\\sppsvc.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\addins\\csrss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\csrss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\ProviderInto\blocksurrogate.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\QQPCMgrHFX64.sys C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\69ddcba757bf72 C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files\Microsoft Games\More Games\es-ES\sppsvc.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files\Microsoft Games\More Games\es-ES\0a1fd5f707cd16 C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\f3b6ecef712a24 C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\audiodg.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\42af1c969fbb7b C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files\7-Zip\smss.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files\7-Zip\69ddcba757bf72 C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Network Sharing\wininit.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Network Sharing\56085415360792 C:\ProviderInto\blocksurrogate.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\addins\886983d96e3d3e C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Windows\L2Schemas\System.exe C:\ProviderInto\blocksurrogate.exe N/A
File opened for modification C:\Windows\L2Schemas\System.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Windows\L2Schemas\27d1bcfc3c54e0 C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Windows\addins\csrss.exe C:\ProviderInto\blocksurrogate.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProviderInto\blocksurrogate.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\SysWOW64\WScript.exe
PID 2100 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\SysWOW64\WScript.exe
PID 2100 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\SysWOW64\WScript.exe
PID 2100 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan.exe C:\Windows\SysWOW64\WScript.exe
PID 2344 wrote to memory of 2640 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2640 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2640 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2640 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\ProviderInto\blocksurrogate.exe
PID 2640 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\ProviderInto\blocksurrogate.exe
PID 2640 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\ProviderInto\blocksurrogate.exe
PID 2640 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\ProviderInto\blocksurrogate.exe
PID 2708 wrote to memory of 2104 N/A C:\ProviderInto\blocksurrogate.exe C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe
PID 2708 wrote to memory of 2104 N/A C:\ProviderInto\blocksurrogate.exe C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe
PID 2708 wrote to memory of 2104 N/A C:\ProviderInto\blocksurrogate.exe C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe
PID 2104 wrote to memory of 2716 N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe C:\MSOCache\PetyaFix_2_0_766_127.exe
PID 2104 wrote to memory of 2716 N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe C:\MSOCache\PetyaFix_2_0_766_127.exe
PID 2104 wrote to memory of 2716 N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe C:\MSOCache\PetyaFix_2_0_766_127.exe
PID 2104 wrote to memory of 2716 N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe C:\MSOCache\PetyaFix_2_0_766_127.exe
PID 2716 wrote to memory of 2540 N/A C:\MSOCache\PetyaFix_2_0_766_127.exe C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe
PID 2716 wrote to memory of 2540 N/A C:\MSOCache\PetyaFix_2_0_766_127.exe C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe
PID 2716 wrote to memory of 2540 N/A C:\MSOCache\PetyaFix_2_0_766_127.exe C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe
PID 2716 wrote to memory of 2540 N/A C:\MSOCache\PetyaFix_2_0_766_127.exe C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe
PID 2716 wrote to memory of 2952 N/A C:\MSOCache\PetyaFix_2_0_766_127.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2716 wrote to memory of 2952 N/A C:\MSOCache\PetyaFix_2_0_766_127.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2716 wrote to memory of 2952 N/A C:\MSOCache\PetyaFix_2_0_766_127.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2716 wrote to memory of 2952 N/A C:\MSOCache\PetyaFix_2_0_766_127.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2952 wrote to memory of 2016 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\MSOCache\._cache_Synaptics.exe
PID 2952 wrote to memory of 2016 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\MSOCache\._cache_Synaptics.exe
PID 2952 wrote to memory of 2016 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\MSOCache\._cache_Synaptics.exe
PID 2952 wrote to memory of 2016 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\MSOCache\._cache_Synaptics.exe
PID 2540 wrote to memory of 1652 N/A C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1652 N/A C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1652 N/A C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1652 N/A C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1652 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1652 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1652 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1652 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1652 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1652 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1652 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2800 wrote to memory of 2160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2800 wrote to memory of 2160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2800 wrote to memory of 2160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2800 wrote to memory of 2160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2540 wrote to memory of 2856 N/A C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 2856 N/A C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 2856 N/A C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 2856 N/A C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2856 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2856 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2856 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2856 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2856 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2856 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2856 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 672 wrote to memory of 376 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 672 wrote to memory of 376 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 672 wrote to memory of 376 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 672 wrote to memory of 376 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2540 wrote to memory of 1788 N/A C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProviderInto\bg4vLJUaDkf5tC.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ProviderInto\NmoUHUSCIv.bat" "

C:\ProviderInto\blocksurrogate.exe

"C:\ProviderInto\blocksurrogate.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\More Games\es-ES\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\More Games\es-ES\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\More Games\es-ES\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Recorded TV\Sample Media\Idle.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe

"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\spoolsv.exe"

C:\MSOCache\PetyaFix_2_0_766_127.exe

"C:\MSOCache\PetyaFix_2_0_766_127.exe"

C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe

"C:\MSOCache\._cache_PetyaFix_2_0_766_127.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\MSOCache\._cache_Synaptics.exe

"C:\MSOCache\._cache_Synaptics.exe" InjUpdate

C:\Windows\SysWOW64\cmd.exe

cmd /c sc config BITS start= auto | net start BITS

C:\Windows\SysWOW64\sc.exe

sc config BITS start= auto

C:\Windows\SysWOW64\net.exe

net start BITS

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start BITS

C:\Windows\SysWOW64\cmd.exe

cmd /c sc config msiserver start= auto | net start msiserver

C:\Windows\SysWOW64\sc.exe

sc config msiserver start= auto

C:\Windows\SysWOW64\net.exe

net start msiserver

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start msiserver

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\cmd.exe

cmd /c sc config wuauserv start= auto | net start wuauserv

C:\Windows\SysWOW64\sc.exe

sc config wuauserv start= auto

C:\Windows\SysWOW64\net.exe

net start wuauserv

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0990228.xsph.ru udp
RU 141.8.192.93:80 a0990228.xsph.ru tcp
RU 141.8.192.93:80 a0990228.xsph.ru tcp
RU 141.8.192.93:80 a0990228.xsph.ru tcp
RU 141.8.192.93:80 a0990228.xsph.ru tcp
RU 141.8.192.93:80 a0990228.xsph.ru tcp
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 xred.mooo.com udp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
RU 141.8.192.93:80 a0990228.xsph.ru tcp

Files

C:\ProviderInto\bg4vLJUaDkf5tC.vbe

MD5 7f1bd72e83931ae16e0939d3dbc24d5b
SHA1 8e4ebd32d84a2e9e415c86b82332cf467e8ff1ab
SHA256 3478b04d7b9a3accf9d74e14f39493a5802938dbc774b2946a4c810ad3ee94af
SHA512 d22cad0ce50bfd7fd81c9b067d8388765f51d3fbe406e9008cce04fd0863e591781f26b6259a4b5c528ece7696f7ce3997720961582143ec5627306cce48c57c

C:\ProviderInto\NmoUHUSCIv.bat

MD5 f6f5d0c8f6feac0cb30c89fd1657cb64
SHA1 be50cec1500209cf68fe55f56b9dcc340546f454
SHA256 ea164f49511be36687b6c8aba7115701c6dd583f58589d948a72ea12de1c672e
SHA512 69a7947e16c893818a04887bf8b2e4a8cd22ad91ec9bfaa603c4eec99204c762d6d46493b0298520419f9818e2459ae372a8876b18f470b9138a1fb80f6ad258

\ProviderInto\blocksurrogate.exe

MD5 7ca99a0ca6db34fcfa842e5f6c203c94
SHA1 cf1a8e002cdd663e810281ff2b9093ddfa9527d0
SHA256 9de7ec4d1da007ad17d08ae860b474fec5ab46dd834584ba9fb36ff8a00b52f0
SHA512 17ae7000770c2f2e7918fad9e202c033bcf3c92490ca04f955142abe164b0583ac22a3659f4dc120643df8c51a9d11b832071dfe66fe2032d6d778d3d4b53a33

memory/2708-13-0x0000000000B50000-0x0000000000CAC000-memory.dmp

memory/2708-14-0x0000000000470000-0x000000000048C000-memory.dmp

memory/2708-15-0x0000000000620000-0x0000000000636000-memory.dmp

memory/2708-16-0x0000000000140000-0x0000000000152000-memory.dmp

memory/2708-17-0x0000000000350000-0x000000000035E000-memory.dmp

memory/2708-18-0x00000000003E0000-0x00000000003EC000-memory.dmp

memory/2104-55-0x00000000002B0000-0x000000000040C000-memory.dmp

memory/2104-56-0x00000000005C0000-0x00000000005D2000-memory.dmp

C:\MSOCache\PetyaFix_2_0_766_127.exe

MD5 289a4045309926a855db023765f23a65
SHA1 95605b27d021253985ad6ba2d9abe92cd4961843
SHA256 239889e3d7a86e6f127438baa5b9583bc0d0fd87d636cbecf7e7e3674bd50ab2
SHA512 ffd6779bf2694adf65a2b4c1dbacf1e2d892442431ee775185522ada3c8dd7f1e8aa77402733baea84261281f4be0cea5c4e69cfb18a1b8daa70c64e47c0a3ac

\MSOCache\._cache_PetyaFix_2_0_766_127.exe

MD5 0467201ff1aae37c80eb2bf52b541b6b
SHA1 57f5344de3308df34ab8cb7a889ff05a64cc073d
SHA256 8d1910480aff8d306b3e568b72bd0951bffec4cc86f37a9ab3a6ec1291b4d4fa
SHA512 85b54dd6ce4b6bd1043c897d0498c5ad0cef5a7b915a578d383bed393bcaa296dd5d98c5ecaaae00440f09ce5d62261ee06824cfe420c05650f905359d8be1e4

\MSOCache\qmdr\dr.dll

MD5 4f53e6f3881ff3e1ee1cc0dc0561410f
SHA1 31388b4d64164eaa5b79ee30bf22840f6b5955a2
SHA256 967bfd76354486919fd252a8bcb3d787af495a0a58bfb8a216b3776cdc2dfc43
SHA512 a652d85e36143e45bafc105f7f385b1dfa25cc83d7bb1c2b167999ec95f4dd27fc43ea91e14abc26f78395a202159807dbfd85394b30061b64fea285aab64921

memory/2716-95-0x0000000000400000-0x000000000075E000-memory.dmp

memory/2952-103-0x0000000000400000-0x000000000075E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 03:38

Reported

2024-06-03 03:41

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Downloads\\WaaSMedicAgent.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Downloads\\WaaSMedicAgent.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\TextInputHost.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Downloads\\WaaSMedicAgent.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\TextInputHost.exe\", \"C:\\Users\\Default\\Favorites\\TextInputHost.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Downloads\\WaaSMedicAgent.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\TextInputHost.exe\", \"C:\\Users\\Default\\Favorites\\TextInputHost.exe\", \"C:\\ProviderInto\\SearchApp.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Downloads\\WaaSMedicAgent.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\TextInputHost.exe\", \"C:\\Users\\Default\\Favorites\\TextInputHost.exe\", \"C:\\ProviderInto\\SearchApp.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\smss.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Downloads\\WaaSMedicAgent.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\TextInputHost.exe\", \"C:\\Users\\Default\\Favorites\\TextInputHost.exe\", \"C:\\ProviderInto\\SearchApp.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\smss.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\ProviderInto\\WaaSMedicAgent.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Downloads\\WaaSMedicAgent.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\TextInputHost.exe\", \"C:\\Users\\Default\\Favorites\\TextInputHost.exe\", \"C:\\ProviderInto\\SearchApp.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\smss.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\ProviderInto\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\spoolsv.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\RuntimeBroker.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Downloads\\WaaSMedicAgent.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\TextInputHost.exe\", \"C:\\Users\\Default\\Favorites\\TextInputHost.exe\", \"C:\\ProviderInto\\SearchApp.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\smss.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\ProviderInto\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\spoolsv.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Downloads\\WaaSMedicAgent.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\TextInputHost.exe\", \"C:\\Users\\Default\\Favorites\\TextInputHost.exe\", \"C:\\ProviderInto\\SearchApp.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\smss.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\ProviderInto\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\spoolsv.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Downloads\\WaaSMedicAgent.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\TextInputHost.exe\", \"C:\\Users\\Default\\Favorites\\TextInputHost.exe\", \"C:\\ProviderInto\\SearchApp.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\WaaSMedicAgent.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Downloads\\WaaSMedicAgent.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\TextInputHost.exe\", \"C:\\Users\\Default\\Favorites\\TextInputHost.exe\", \"C:\\ProviderInto\\SearchApp.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\smss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Downloads\\WaaSMedicAgent.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\TextInputHost.exe\", \"C:\\Users\\Default\\Favorites\\TextInputHost.exe\", \"C:\\ProviderInto\\SearchApp.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\smss.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\ProviderInto\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\spoolsv.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\conhost.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Documents\\lsass.exe\"" C:\ProviderInto\blocksurrogate.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\ProviderInto\blocksurrogate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\ProviderInto\blocksurrogate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Users\\Default\\Downloads\\WaaSMedicAgent.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\conhost.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Default\\Favorites\\TextInputHost.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Default\\Favorites\\TextInputHost.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\conhost.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\ProviderInto\\WaaSMedicAgent.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Users\\Default\\Downloads\\WaaSMedicAgent.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files\\Mozilla Firefox\\uninstall\\WaaSMedicAgent.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\spoolsv.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\Cookies\\RuntimeBroker.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\ProviderInto\\SearchApp.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\smss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\smss.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\ProviderInto\\WaaSMedicAgent.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\TextInputHost.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files\\Mozilla Firefox\\uninstall\\WaaSMedicAgent.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\wininit.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Documents\\lsass.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\cmd.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Temp\\Crashpad\\RuntimeBroker.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\TextInputHost.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\ProviderInto\\SearchApp.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\spoolsv.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Documents\\lsass.exe\"" C:\ProviderInto\blocksurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\Cookies\\RuntimeBroker.exe\"" C:\ProviderInto\blocksurrogate.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\56085415360792 C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\smss.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\cmd.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\WaaSMedicAgent.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\c82b8037eab33d C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\69ddcba757bf72 C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\ebf1f9fa8afd6d C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\wininit.exe C:\ProviderInto\blocksurrogate.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\wininit.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\f3b6ecef712a24 C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\fonts\088424020bedd6 C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files\ModifiableWindowsApps\TrustedInstaller.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe C:\ProviderInto\blocksurrogate.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Performance\WinSAT\DataStore\TextInputHost.exe C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Windows\Performance\WinSAT\DataStore\22eafd247d37c3 C:\ProviderInto\blocksurrogate.exe N/A
File created C:\Windows\OCR\en-us\System.exe C:\ProviderInto\blocksurrogate.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Nursultan.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\ProviderInto\blocksurrogate.exe N/A
N/A N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
N/A N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
N/A N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
N/A N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
N/A N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
N/A N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
N/A N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
N/A N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A
N/A N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProviderInto\blocksurrogate.exe N/A
Token: SeDebugPrivilege N/A C:\ProviderInto\blocksurrogate.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\StartMenuExperienceHost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProviderInto\bg4vLJUaDkf5tC.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProviderInto\NmoUHUSCIv.bat" "

C:\ProviderInto\blocksurrogate.exe

"C:\ProviderInto\blocksurrogate.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Documents\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\cmd.exe'" /rl HIGHEST /f

C:\ProviderInto\blocksurrogate.exe

"C:\ProviderInto\blocksurrogate.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Downloads\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Default\Downloads\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\ProviderInto\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\ProviderInto\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\ProviderInto\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\uninstall\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\uninstall\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\ProviderInto\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\ProviderInto\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\ProviderInto\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

"C:\Recovery\WindowsRE\StartMenuExperienceHost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 a0990228.xsph.ru udp
RU 141.8.192.93:80 a0990228.xsph.ru tcp
RU 141.8.192.93:80 a0990228.xsph.ru tcp
US 8.8.8.8:53 93.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 141.8.192.93:80 a0990228.xsph.ru tcp

Files

C:\ProviderInto\bg4vLJUaDkf5tC.vbe

MD5 7f1bd72e83931ae16e0939d3dbc24d5b
SHA1 8e4ebd32d84a2e9e415c86b82332cf467e8ff1ab
SHA256 3478b04d7b9a3accf9d74e14f39493a5802938dbc774b2946a4c810ad3ee94af
SHA512 d22cad0ce50bfd7fd81c9b067d8388765f51d3fbe406e9008cce04fd0863e591781f26b6259a4b5c528ece7696f7ce3997720961582143ec5627306cce48c57c

C:\ProviderInto\NmoUHUSCIv.bat

MD5 f6f5d0c8f6feac0cb30c89fd1657cb64
SHA1 be50cec1500209cf68fe55f56b9dcc340546f454
SHA256 ea164f49511be36687b6c8aba7115701c6dd583f58589d948a72ea12de1c672e
SHA512 69a7947e16c893818a04887bf8b2e4a8cd22ad91ec9bfaa603c4eec99204c762d6d46493b0298520419f9818e2459ae372a8876b18f470b9138a1fb80f6ad258

C:\ProviderInto\blocksurrogate.exe

MD5 7ca99a0ca6db34fcfa842e5f6c203c94
SHA1 cf1a8e002cdd663e810281ff2b9093ddfa9527d0
SHA256 9de7ec4d1da007ad17d08ae860b474fec5ab46dd834584ba9fb36ff8a00b52f0
SHA512 17ae7000770c2f2e7918fad9e202c033bcf3c92490ca04f955142abe164b0583ac22a3659f4dc120643df8c51a9d11b832071dfe66fe2032d6d778d3d4b53a33

memory/3212-12-0x00007FFAE4D13000-0x00007FFAE4D15000-memory.dmp

memory/3212-13-0x0000000000150000-0x00000000002AC000-memory.dmp

memory/3212-14-0x0000000002390000-0x00000000023AC000-memory.dmp

memory/3212-15-0x000000001B490000-0x000000001B4E0000-memory.dmp

memory/3212-16-0x0000000002520000-0x0000000002536000-memory.dmp

memory/3212-17-0x0000000002370000-0x0000000002382000-memory.dmp

memory/3212-18-0x000000001BB40000-0x000000001C068000-memory.dmp

memory/3212-19-0x00000000023B0000-0x00000000023BE000-memory.dmp

memory/3212-20-0x000000001B440000-0x000000001B44C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\blocksurrogate.exe.log

MD5 bbb951a34b516b66451218a3ec3b0ae1
SHA1 7393835a2476ae655916e0a9687eeaba3ee876e9
SHA256 eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA512 63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

memory/4360-28-0x0000000002A40000-0x0000000002A52000-memory.dmp