Malware Analysis Report

2024-10-10 12:49

Sample ID 240603-eynj2abb5y
Target d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4
SHA256 d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4
Tags
rat dcrat execution infostealer persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4

Threat Level: Known bad

The file d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4 was found to be: Known bad.

Malicious Activity Summary

rat dcrat execution infostealer persistence spyware stealer

DCRat payload

Modifies WinLogon for persistence

Process spawned unexpected child process

DcRat

Dcrat family

Detects executables packed with SmartAssembly

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:21

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:21

Reported

2024-06-03 04:23

Platform

win7-20240215-en

Max time kernel

134s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\audiodg.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Users\\Default\\Videos\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\audiodg.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Users\\Default\\Videos\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\audiodg.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Users\\Default\\Videos\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\Program Files\\Microsoft Games\\SpiderSolitaire\\en-US\\lsm.exe\", \"C:\\Users\\Default User\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\audiodg.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\audiodg.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Users\\Default\\Videos\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\audiodg.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Users\\Default\\Videos\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\Program Files\\Microsoft Games\\SpiderSolitaire\\en-US\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\audiodg.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Users\\Default\\Videos\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\Program Files\\Microsoft Games\\SpiderSolitaire\\en-US\\lsm.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Users\\All Users\\Desktop\\winlogon.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\audiodg.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Users\\Default\\Videos\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\audiodg.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Users\\Default\\Videos\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\Program Files\\Microsoft Games\\SpiderSolitaire\\en-US\\lsm.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\audiodg.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Users\\Default\\Videos\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\Idle.exe\", \"C:\\Program Files\\Microsoft Games\\SpiderSolitaire\\en-US\\lsm.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Users\\All Users\\Desktop\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\audiodg.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Users\\Default\\Videos\\taskhost.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Microsoft Games\\SpiderSolitaire\\en-US\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default\\Videos\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Uninstall Information\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Uninstall Information\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Portable Devices\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\Desktop\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Microsoft Games\\SpiderSolitaire\\en-US\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default\\Videos\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Portable Devices\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\Desktop\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Uninstall Information\Idle.exe C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files\Uninstall Information\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\lsm.exe C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\101b941d020240 C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files\Windows Portable Devices\lsass.exe C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files\Windows Portable Devices\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\MSOCache\All Users\sppsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\cmd.exe
PID 3000 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\cmd.exe
PID 3000 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\cmd.exe
PID 2152 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2152 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2152 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2152 wrote to memory of 2744 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\sppsvc.exe
PID 2152 wrote to memory of 2744 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\sppsvc.exe
PID 2152 wrote to memory of 2744 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\sppsvc.exe
PID 2152 wrote to memory of 2744 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\sppsvc.exe
PID 2152 wrote to memory of 2744 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\sppsvc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe

"C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Videos\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Videos\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQFDoehEEs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\sppsvc.exe

"C:\MSOCache\All Users\sppsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 729231cm.n9shteam1.top udp
US 104.21.22.205:80 729231cm.n9shteam1.top tcp
US 104.21.22.205:80 729231cm.n9shteam1.top tcp

Files

memory/3000-0-0x000007FEF4E63000-0x000007FEF4E64000-memory.dmp

memory/3000-1-0x0000000000DC0000-0x0000000000F22000-memory.dmp

memory/3000-2-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

memory/3000-3-0x0000000000240000-0x000000000024E000-memory.dmp

memory/3000-4-0x0000000000310000-0x000000000032C000-memory.dmp

memory/3000-5-0x0000000000330000-0x0000000000338000-memory.dmp

memory/3000-6-0x0000000000570000-0x0000000000586000-memory.dmp

memory/3000-7-0x0000000000340000-0x0000000000350000-memory.dmp

memory/3000-8-0x00000000004E0000-0x00000000004EA000-memory.dmp

memory/3000-9-0x0000000000590000-0x000000000059C000-memory.dmp

C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe

MD5 841209ab771bde66b25dfd03ff84c68a
SHA1 3c23b1e5d84698723316059a0458350c0a67fb91
SHA256 d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4
SHA512 99039987c13b7092ef15fabc7f2a49ea08b41882c41bb27fa776cd13d3cefc7a104e6777530151fbf43e232eba127b29dc6bc5ac9c51f86320800f868a59d160

memory/2060-50-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 628d23c6a6d084a4e937364e118d34cf
SHA1 06ce21141323aee04937eb5e98b3d4146b9fc9ab
SHA256 64ea0340d43e051a75915e1dc20b67da8db4e8af46f9aab33da107e3bdbcd20a
SHA512 b9b373a58001691e5daab5830216f5308ecf5d3033f9946e0f7a95c8e20a069ee6996af755d35f259e75d57d5d69986b0213ca2eb902d7397272461cdc748825

memory/3000-62-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

memory/2060-60-0x00000000022B0000-0x00000000022B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yQFDoehEEs.bat

MD5 81553212360343eb3c1fb8a6f172de04
SHA1 f589aac629be1b2db9e7b454d626d1ebde9d05f0
SHA256 e9e35d7c4aacad112b49146285736e6eefd3e106abf4ea695eca262d2208f843
SHA512 651057acc7a04d235737105da930d8b2e94ae6e46850f45a51bcd7849e8f62b29bcccf5dc3545a1dd88c44b6755585d656856013db5a845495b7617635381529

memory/2744-115-0x0000000000B20000-0x0000000000C82000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:21

Reported

2024-06-03 04:23

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\services.exe\", \"C:\\Users\\Default\\taskhostw.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\services.exe\", \"C:\\Users\\Default\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\services.exe\", \"C:\\Users\\Default\\taskhostw.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\services.exe\", \"C:\\Users\\Default\\taskhostw.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\services.exe\", \"C:\\Users\\Default\\taskhostw.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Program Files\\Windows Defender\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\services.exe\", \"C:\\Users\\Default\\taskhostw.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Program Files\\Windows Defender\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Microsoft OneDrive\\setup\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\services.exe\", \"C:\\Users\\Default\\taskhostw.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Program Files\\Windows Defender\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Microsoft OneDrive\\setup\\upfc.exe\", \"C:\\Program Files\\Windows Media Player\\de-DE\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\services.exe\", \"C:\\Users\\Default\\taskhostw.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Recovery\\WindowsRE\\MusNotification.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Defender\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\All Users\\Microsoft OneDrive\\setup\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\All Users\\Microsoft OneDrive\\setup\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Defender\\es-ES\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Default\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Defender\\es-ES\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Default\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Recovery\\WindowsRE\\MusNotification.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Defender\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Media Player\\de-DE\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Media Player\\de-DE\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Defender\\it-IT\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Defender\\it-IT\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Icons\explorer.exe C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files\Windows Defender\es-ES\services.exe C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files\Windows Defender\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files\WindowsApps\services.exe C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files\Windows Defender\it-IT\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files\Windows Defender\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files\Windows Defender\es-ES\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files\Windows Defender\it-IT\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Recovery\WindowsRE\fontdrvhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5112 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Recovery\WindowsRE\fontdrvhost.exe
PID 5112 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe C:\Recovery\WindowsRE\fontdrvhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe

"C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\es-ES\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\es-ES\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Default\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\it-IT\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\it-IT\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\de-DE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\de-DE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\it-IT\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\MusNotification.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\de-DE\unsecapp.exe'

C:\Recovery\WindowsRE\fontdrvhost.exe

"C:\Recovery\WindowsRE\fontdrvhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
GB 92.123.142.160:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 729231cm.n9shteam1.top udp
US 104.21.22.205:80 729231cm.n9shteam1.top tcp
US 104.21.22.205:80 729231cm.n9shteam1.top tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 205.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 120.150.79.40.in-addr.arpa udp

Files

memory/5112-0-0x00007FFCBF2A3000-0x00007FFCBF2A5000-memory.dmp

memory/5112-1-0x0000000000F50000-0x00000000010B2000-memory.dmp

memory/5112-2-0x00007FFCBF2A0000-0x00007FFCBFD61000-memory.dmp

memory/5112-3-0x0000000003130000-0x000000000313E000-memory.dmp

memory/5112-4-0x000000001BBF0000-0x000000001BC0C000-memory.dmp

memory/5112-7-0x000000001BC10000-0x000000001BC26000-memory.dmp

memory/5112-8-0x000000001BC30000-0x000000001BC40000-memory.dmp

memory/5112-6-0x0000000003140000-0x0000000003148000-memory.dmp

memory/5112-5-0x000000001C2E0000-0x000000001C330000-memory.dmp

memory/5112-9-0x000000001BC40000-0x000000001BC4A000-memory.dmp

memory/5112-10-0x000000001BD60000-0x000000001BD6C000-memory.dmp

C:\Users\Default\taskhostw.exe

MD5 841209ab771bde66b25dfd03ff84c68a
SHA1 3c23b1e5d84698723316059a0458350c0a67fb91
SHA256 d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4
SHA512 99039987c13b7092ef15fabc7f2a49ea08b41882c41bb27fa776cd13d3cefc7a104e6777530151fbf43e232eba127b29dc6bc5ac9c51f86320800f868a59d160

memory/5112-46-0x00007FFCBF2A0000-0x00007FFCBFD61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tuuv5dpj.cof.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2372-63-0x00000246F5530000-0x00000246F5552000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4