Malware Analysis Report

2024-10-10 12:49

Sample ID 240603-jb97qsgb2s
Target FPSboostPINGFIX_NeikiAnalytics
SHA256 daeb1abee4ad4fb684882ab23860fa889fd148f6261515cc8abcee43c452e80e
Tags
dcrat evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

daeb1abee4ad4fb684882ab23860fa889fd148f6261515cc8abcee43c452e80e

Threat Level: Known bad

The file FPSboostPINGFIX_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat trojan

Process spawned unexpected child process

UAC bypass

DcRat

DCRat payload

Disables Task Manager via registry modification

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry key

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 07:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 07:30

Reported

2024-06-03 07:33

Platform

win7-20240221-en

Max time kernel

117s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FPSboostPINGFIX_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\chainwebwinref\Monitorcommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\chainwebwinref\Monitorcommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\chainwebwinref\Monitorcommon.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\Windows\addins\csrss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\chainwebwinref\Monitorcommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\chainwebwinref\Monitorcommon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\bin\088424020bedd6 C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files\Internet Explorer\de-DE\5e9c6a1818cefd C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files\Microsoft Games\spoolsv.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files\Java\jre7\bin\conhost.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6cb0b6c459d5d3 C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files\Internet Explorer\de-DE\Monitorcommon.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files\Microsoft Games\f3b6ecef712a24 C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files (x86)\Internet Explorer\SIGNUP\f3b6ecef712a24 C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\b75386f1303e64 C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe C:\chainwebwinref\Monitorcommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CSC\v2.0.6\wininit.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Windows\addins\csrss.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Windows\addins\886983d96e3d3e C:\chainwebwinref\Monitorcommon.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\chainwebwinref\Monitorcommon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\addins\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\FPSboostPINGFIX_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\antiriser.bat
PID 3048 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\FPSboostPINGFIX_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\antiriser.bat
PID 3048 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\FPSboostPINGFIX_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\antiriser.bat
PID 3048 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\FPSboostPINGFIX_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\antiriser.bat
PID 2528 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat C:\Windows\SysWOW64\WScript.exe
PID 2528 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat C:\Windows\SysWOW64\WScript.exe
PID 2528 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat C:\Windows\SysWOW64\WScript.exe
PID 2528 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat C:\Windows\SysWOW64\WScript.exe
PID 2528 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat C:\Windows\SysWOW64\WScript.exe
PID 2528 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat C:\Windows\SysWOW64\WScript.exe
PID 2528 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat C:\Windows\SysWOW64\WScript.exe
PID 2528 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat C:\Windows\SysWOW64\WScript.exe
PID 2428 wrote to memory of 2432 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2432 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2432 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 2432 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\chainwebwinref\Monitorcommon.exe
PID 2432 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\chainwebwinref\Monitorcommon.exe
PID 2432 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\chainwebwinref\Monitorcommon.exe
PID 2432 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\chainwebwinref\Monitorcommon.exe
PID 2484 wrote to memory of 268 N/A C:\chainwebwinref\Monitorcommon.exe C:\Windows\System32\cmd.exe
PID 2484 wrote to memory of 268 N/A C:\chainwebwinref\Monitorcommon.exe C:\Windows\System32\cmd.exe
PID 2484 wrote to memory of 268 N/A C:\chainwebwinref\Monitorcommon.exe C:\Windows\System32\cmd.exe
PID 268 wrote to memory of 1800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 268 wrote to memory of 1800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 268 wrote to memory of 1800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 268 wrote to memory of 584 N/A C:\Windows\System32\cmd.exe C:\Windows\addins\csrss.exe
PID 268 wrote to memory of 584 N/A C:\Windows\System32\cmd.exe C:\Windows\addins\csrss.exe
PID 268 wrote to memory of 584 N/A C:\Windows\System32\cmd.exe C:\Windows\addins\csrss.exe
PID 2432 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2432 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2432 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2432 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\chainwebwinref\Monitorcommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\chainwebwinref\Monitorcommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\chainwebwinref\Monitorcommon.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\FPSboostPINGFIX_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\FPSboostPINGFIX_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\antiriser.bat

"C:\Users\Admin\AppData\Local\Temp\antiriser.bat"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\chainwebwinref\iIb9loxeJUzN.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\chainwebwinref\file.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\chainwebwinref\PkXKubhHOUD.bat" "

C:\chainwebwinref\Monitorcommon.exe

"C:\chainwebwinref\Monitorcommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Videos\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MonitorcommonM" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\de-DE\Monitorcommon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Monitorcommon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\Monitorcommon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MonitorcommonM" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\de-DE\Monitorcommon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\bin\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SendTo\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XqWmkdJp3S.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\addins\csrss.exe

"C:\Windows\addins\csrss.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

Network

N/A

Files

memory/3048-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

memory/3048-1-0x0000000000BE0000-0x0000000000EE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\antiriser.bat

MD5 d0e8048fe2f4e5dfc74f0e28cf367b68
SHA1 9e9cee85fc51346d10228dfe8b68f250ac839963
SHA256 06e0057c52d77e3027ce56b6d4f6130935b08655a512949819bdeef3a4c5d96e
SHA512 019db1439c6158d906d18f12014a28de503c8f7f2b371cb0a7171067252326e1fb675300ad87748de1a986ba8c93fa4e96ffb7181080caeadb84fe223cd3e2b4

memory/3048-7-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

memory/3048-8-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

C:\chainwebwinref\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\chainwebwinref\iIb9loxeJUzN.vbe

MD5 cc50d3040c60a2d321d63ce366fec7af
SHA1 511691c44989cb14e82f7d1cbecb1cd0c1390068
SHA256 dc27aaa80d2e5fa4355706d59178a265f704186c0beb1a06af3010453f976790
SHA512 d5f7d4615d81262aa4ddba2cb98d083bd67d503aea2a380e9e6969f856fe26c43270788903954b3a3bf50559c24a4b255cd121780fb6b4afa1c1060da9020aca

C:\chainwebwinref\PkXKubhHOUD.bat

MD5 415ef0b3254212b48ed3737c0ae31765
SHA1 5371c866e12057c8bfa192b8821270e2a1845ea0
SHA256 77c0162c35af4c75b88c3a3f1354ceeba1a876bceee1eaf9fdfd5a70c92f3e71
SHA512 677541de752a22a1fdc566bf095f4c0e5b9bb54b5bbd25bcf77279f37350cb1204aa5daa9f5dd35c2fdd77cade4c2a3a7d00dafd44732dfff30cd9d90c11cfe7

C:\chainwebwinref\Monitorcommon.exe

MD5 3afaa0c4c04a427730ce934ae0f4c564
SHA1 9b807ef589afc6f351747f538a3699480321dfcd
SHA256 71e9ccdeb11d71e77c33dd918395e46c2beae52ad38ffebb43a3d3d9fb1b0b86
SHA512 1acb409a096e0bb2a68c555459f2cf746507cccc4f06d593d9e8d8859678cd94a27a10f4e44fac16a8df0b5e01cb5be56fb588fc584b0832a93138adaa95f2de

memory/2484-28-0x0000000000B10000-0x0000000000E4E000-memory.dmp

memory/2484-29-0x0000000000140000-0x000000000014E000-memory.dmp

memory/2484-30-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/2484-31-0x00000000003E0000-0x00000000003E8000-memory.dmp

memory/2484-32-0x00000000003F0000-0x000000000040C000-memory.dmp

memory/2484-33-0x0000000000410000-0x0000000000418000-memory.dmp

memory/2484-34-0x0000000000570000-0x0000000000586000-memory.dmp

memory/2484-35-0x0000000000590000-0x0000000000598000-memory.dmp

memory/2484-36-0x0000000000A60000-0x0000000000A72000-memory.dmp

memory/2484-37-0x0000000000A70000-0x0000000000A7C000-memory.dmp

memory/2484-38-0x0000000000A40000-0x0000000000A48000-memory.dmp

memory/2484-39-0x0000000000A50000-0x0000000000A60000-memory.dmp

memory/2484-40-0x0000000000A80000-0x0000000000A8A000-memory.dmp

memory/2484-41-0x0000000000A90000-0x0000000000AE6000-memory.dmp

memory/2484-42-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

memory/2484-43-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

memory/2484-44-0x0000000000B00000-0x0000000000B0C000-memory.dmp

memory/2484-45-0x0000000002350000-0x0000000002358000-memory.dmp

memory/2484-46-0x0000000002360000-0x0000000002372000-memory.dmp

memory/2484-47-0x0000000002390000-0x0000000002398000-memory.dmp

memory/2484-48-0x00000000023A0000-0x00000000023AC000-memory.dmp

memory/2484-49-0x00000000023B0000-0x00000000023B8000-memory.dmp

memory/2484-50-0x00000000023C0000-0x00000000023CC000-memory.dmp

memory/2484-51-0x0000000002450000-0x000000000245C000-memory.dmp

memory/2484-52-0x0000000002480000-0x0000000002488000-memory.dmp

memory/2484-53-0x0000000002460000-0x000000000246C000-memory.dmp

memory/2484-54-0x0000000002470000-0x000000000247A000-memory.dmp

memory/2484-55-0x0000000002490000-0x000000000249E000-memory.dmp

memory/2484-56-0x00000000024A0000-0x00000000024A8000-memory.dmp

memory/2484-57-0x0000000002640000-0x000000000264E000-memory.dmp

memory/2484-58-0x0000000002650000-0x0000000002658000-memory.dmp

memory/2484-59-0x0000000002660000-0x0000000002668000-memory.dmp

memory/2484-60-0x0000000002670000-0x000000000267A000-memory.dmp

memory/2484-61-0x0000000002680000-0x000000000268C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XqWmkdJp3S.bat

MD5 644d667d76ec0975b63abde6f3fd21aa
SHA1 3c7696cd52267f14d714093f88d574cc958efc0d
SHA256 cd4c0b3ba2132f9d6aedd246abb4bc97156da7bdce99f81b5ccdc27d16d2fc1a
SHA512 2e13669adf1997f210fb3c648ab8d74e72cd954534b8df8b8b391b4a06f81bb097a4a6d64614f75f9f971c882fa27484db086d366dc8d58148da476eac96f4d7

memory/584-104-0x0000000001110000-0x000000000144E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 07:30

Reported

2024-06-03 07:33

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FPSboostPINGFIX_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\chainwebwinref\Monitorcommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\chainwebwinref\Monitorcommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\chainwebwinref\Monitorcommon.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FPSboostPINGFIX_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\antiriser.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\chainwebwinref\Monitorcommon.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat N/A
N/A N/A C:\chainwebwinref\Monitorcommon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\chainwebwinref\Monitorcommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\chainwebwinref\Monitorcommon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\886983d96e3d3e C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\services.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files (x86)\Windows Mail\smss.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files (x86)\Common Files\Services\121e5b5079f7c0 C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\css\fonts\OfficeClickToRun.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\c5b4cb5e9653cc C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files (x86)\Common Files\Services\sysmon.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\e1ef82546f0b02 C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\c5b4cb5e9653cc C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files (x86)\Windows Mail\69ddcba757bf72 C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files (x86)\Windows Media Player\csrss.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\SppExtComObj.exe C:\chainwebwinref\Monitorcommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\DataStore\Logs\5e9c6a1818cefd C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Windows\tracing\backgroundTaskHost.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Windows\tracing\eddb19405b7ce1 C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Windows\Tasks\lsass.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Windows\Tasks\6203df4a6bafc7 C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Windows\TAPI\TextInputHost.exe C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Windows\TAPI\22eafd247d37c3 C:\chainwebwinref\Monitorcommon.exe N/A
File created C:\Windows\SoftwareDistribution\DataStore\Logs\Monitorcommon.exe C:\chainwebwinref\Monitorcommon.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\antiriser.bat N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\chainwebwinref\Monitorcommon.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\chainwebwinref\Monitorcommon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\FPSboostPINGFIX_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\antiriser.bat
PID 1220 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\FPSboostPINGFIX_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\antiriser.bat
PID 1220 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\FPSboostPINGFIX_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\antiriser.bat
PID 4556 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat C:\Windows\SysWOW64\WScript.exe
PID 4556 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat C:\Windows\SysWOW64\WScript.exe
PID 4556 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat C:\Windows\SysWOW64\WScript.exe
PID 4556 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat C:\Windows\SysWOW64\WScript.exe
PID 4556 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat C:\Windows\SysWOW64\WScript.exe
PID 4556 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\antiriser.bat C:\Windows\SysWOW64\WScript.exe
PID 1800 wrote to memory of 3736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 3736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 3736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\chainwebwinref\Monitorcommon.exe
PID 3736 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\chainwebwinref\Monitorcommon.exe
PID 2452 wrote to memory of 2424 N/A C:\chainwebwinref\Monitorcommon.exe C:\Windows\System32\cmd.exe
PID 2452 wrote to memory of 2424 N/A C:\chainwebwinref\Monitorcommon.exe C:\Windows\System32\cmd.exe
PID 3736 wrote to memory of 4288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3736 wrote to memory of 4288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3736 wrote to memory of 4288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2424 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2424 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\chainwebwinref\Monitorcommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\chainwebwinref\Monitorcommon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\chainwebwinref\Monitorcommon.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\FPSboostPINGFIX_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\FPSboostPINGFIX_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\antiriser.bat

"C:\Users\Admin\AppData\Local\Temp\antiriser.bat"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\chainwebwinref\iIb9loxeJUzN.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\chainwebwinref\file.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\chainwebwinref\PkXKubhHOUD.bat" "

C:\chainwebwinref\Monitorcommon.exe

"C:\chainwebwinref\Monitorcommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\chainwebwinref\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\chainwebwinref\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\chainwebwinref\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Local Settings\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\TAPI\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Services\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MonitorcommonM" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\Monitorcommon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Monitorcommon" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\Monitorcommon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MonitorcommonM" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\Monitorcommon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\de-DE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\de-DE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QsTptGLH5b.bat"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1220-0-0x00007FFA73BC3000-0x00007FFA73BC5000-memory.dmp

memory/1220-1-0x0000000000E10000-0x0000000001116000-memory.dmp

memory/1220-3-0x00007FFA73BC0000-0x00007FFA74681000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\antiriser.bat

MD5 d0e8048fe2f4e5dfc74f0e28cf367b68
SHA1 9e9cee85fc51346d10228dfe8b68f250ac839963
SHA256 06e0057c52d77e3027ce56b6d4f6130935b08655a512949819bdeef3a4c5d96e
SHA512 019db1439c6158d906d18f12014a28de503c8f7f2b371cb0a7171067252326e1fb675300ad87748de1a986ba8c93fa4e96ffb7181080caeadb84fe223cd3e2b4

memory/1220-8-0x00007FFA73BC0000-0x00007FFA74681000-memory.dmp

C:\chainwebwinref\iIb9loxeJUzN.vbe

MD5 cc50d3040c60a2d321d63ce366fec7af
SHA1 511691c44989cb14e82f7d1cbecb1cd0c1390068
SHA256 dc27aaa80d2e5fa4355706d59178a265f704186c0beb1a06af3010453f976790
SHA512 d5f7d4615d81262aa4ddba2cb98d083bd67d503aea2a380e9e6969f856fe26c43270788903954b3a3bf50559c24a4b255cd121780fb6b4afa1c1060da9020aca

C:\chainwebwinref\file.vbs

MD5 677cc4360477c72cb0ce00406a949c61
SHA1 b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256 f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA512 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

C:\chainwebwinref\PkXKubhHOUD.bat

MD5 415ef0b3254212b48ed3737c0ae31765
SHA1 5371c866e12057c8bfa192b8821270e2a1845ea0
SHA256 77c0162c35af4c75b88c3a3f1354ceeba1a876bceee1eaf9fdfd5a70c92f3e71
SHA512 677541de752a22a1fdc566bf095f4c0e5b9bb54b5bbd25bcf77279f37350cb1204aa5daa9f5dd35c2fdd77cade4c2a3a7d00dafd44732dfff30cd9d90c11cfe7

C:\chainwebwinref\Monitorcommon.exe

MD5 3afaa0c4c04a427730ce934ae0f4c564
SHA1 9b807ef589afc6f351747f538a3699480321dfcd
SHA256 71e9ccdeb11d71e77c33dd918395e46c2beae52ad38ffebb43a3d3d9fb1b0b86
SHA512 1acb409a096e0bb2a68c555459f2cf746507cccc4f06d593d9e8d8859678cd94a27a10f4e44fac16a8df0b5e01cb5be56fb588fc584b0832a93138adaa95f2de

memory/2452-27-0x0000000000020000-0x000000000035E000-memory.dmp

memory/2452-28-0x0000000002470000-0x000000000247E000-memory.dmp

memory/2452-29-0x0000000002590000-0x000000000259E000-memory.dmp

memory/2452-30-0x00000000025A0000-0x00000000025A8000-memory.dmp

memory/2452-31-0x00000000025B0000-0x00000000025CC000-memory.dmp

memory/2452-32-0x000000001B650000-0x000000001B6A0000-memory.dmp

memory/2452-33-0x00000000025D0000-0x00000000025D8000-memory.dmp

memory/2452-35-0x0000000002600000-0x0000000002608000-memory.dmp

memory/2452-36-0x0000000002610000-0x0000000002622000-memory.dmp

memory/2452-34-0x00000000025E0000-0x00000000025F6000-memory.dmp

memory/2452-37-0x000000001B010000-0x000000001B01C000-memory.dmp

memory/2452-38-0x000000001B000000-0x000000001B008000-memory.dmp

memory/2452-39-0x000000001B020000-0x000000001B030000-memory.dmp

memory/2452-40-0x000000001B030000-0x000000001B03A000-memory.dmp

memory/2452-41-0x000000001B950000-0x000000001B9A6000-memory.dmp

memory/2452-42-0x000000001B9A0000-0x000000001B9AC000-memory.dmp

memory/2452-43-0x000000001B9B0000-0x000000001B9B8000-memory.dmp

memory/2452-44-0x000000001B9C0000-0x000000001B9CC000-memory.dmp

memory/2452-45-0x000000001B9D0000-0x000000001B9D8000-memory.dmp

memory/2452-46-0x000000001B9E0000-0x000000001B9F2000-memory.dmp

memory/2452-47-0x000000001BF40000-0x000000001C468000-memory.dmp

memory/2452-49-0x000000001BA20000-0x000000001BA2C000-memory.dmp

memory/2452-48-0x000000001BA10000-0x000000001BA18000-memory.dmp

memory/2452-51-0x000000001BA40000-0x000000001BA4C000-memory.dmp

memory/2452-52-0x000000001BA50000-0x000000001BA5C000-memory.dmp

memory/2452-54-0x000000001BB60000-0x000000001BB6C000-memory.dmp

memory/2452-50-0x000000001BA30000-0x000000001BA38000-memory.dmp

memory/2452-58-0x000000001BCA0000-0x000000001BCAE000-memory.dmp

memory/2452-57-0x000000001BC90000-0x000000001BC98000-memory.dmp

memory/2452-56-0x000000001BB80000-0x000000001BB8E000-memory.dmp

memory/2452-55-0x000000001BB70000-0x000000001BB7A000-memory.dmp

memory/2452-53-0x000000001BCD0000-0x000000001BCD8000-memory.dmp

memory/2452-60-0x000000001BCC0000-0x000000001BCC8000-memory.dmp

memory/2452-59-0x000000001BCB0000-0x000000001BCB8000-memory.dmp

memory/2452-61-0x000000001BCE0000-0x000000001BCEA000-memory.dmp

memory/2452-62-0x000000001BCF0000-0x000000001BCFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QsTptGLH5b.bat

MD5 8b17cb3cf2216014bca4fbaf4d5061b2
SHA1 60212a0c854787e88a6e712f873ba3ed8b2ad970
SHA256 0f5fc71d2efe77f56d72f3b34aef7d08772ed1c6631f4e165c436984b67bfbbc
SHA512 b713117f113f08464d0133a5f9c32550fc085e35ba78a37e136c5f4515f5dda0bf69646d551f9d066b65f4c6cae8623fda3076c85f441d319296273408a55651