Analysis Overview
SHA256
7e4efd43ace17028eacb97352fe2ea46d44b96aca3068130b0cdec4dbba081b1
Threat Level: Known bad
The file RealtekHDAudioUniversalService_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
DCRat payload
Process spawned unexpected child process
DcRat
Modifies WinLogon for persistence
Dcrat family
DCRat payload
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 10:03
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 10:03
Reported
2024-06-03 10:05
Platform
win7-20231129-en
Max time kernel
123s
Max time network
150s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\", \"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\", \"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\", \"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\Admin\\Templates\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dllhost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\", \"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\", \"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\", \"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\Admin\\Templates\\winlogon.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\bridgeHyperCrt\\sppsvc.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\lsm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dllhost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\lsm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\CSC\\lsm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\Templates\\winlogon.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dllhost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\CSC\\lsm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\bridgeHyperCrt\\lsm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\bridgeHyperCrt\\sppsvc.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\bridgeHyperCrt\\lsm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\Templates\\winlogon.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\ebf1f9fa8afd6d | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\27d1bcfc3c54e0 | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\7a0fd90576e088 | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\cmd.exe | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CSC\lsm.exe | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Windows\CSC\101b941d020240 | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\cmd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\cmd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\cmd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\cmd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\cmd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\cmd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\cmd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\cmd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\cmd.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows Portable Devices\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows Portable Devices\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgeHyperCrt\FOAEdrh1BxsF.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgeHyperCrt\OI0pwrYEs8WKMbQhaocS5DTAkNJim.bat" "
C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe
"C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\bridgeHyperCrt\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\bridgeHyperCrt\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\bridgeHyperCrt\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\CSC\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\CSC\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\CSC\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\bridgeHyperCrt\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\bridgeHyperCrt\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\bridgeHyperCrt\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Acrobat\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Acrobat\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Templates\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xC7r6FxMav.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Portable Devices\cmd.exe
"C:\Program Files (x86)\Windows Portable Devices\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a0984531.xsph.ru | udp |
| RU | 141.8.192.163:80 | a0984531.xsph.ru | tcp |
| RU | 141.8.192.163:80 | a0984531.xsph.ru | tcp |
| RU | 141.8.192.163:80 | a0984531.xsph.ru | tcp |
Files
C:\bridgeHyperCrt\FOAEdrh1BxsF.vbe
| MD5 | 91dfc7252bcd06d82af9f64190b08c7e |
| SHA1 | 4eea175d57c3631c0dab65cff1c325d59b5d34a8 |
| SHA256 | fdee20a4260f6ba25d38608473eb51910fd1780e104edc51b7feea672f23858b |
| SHA512 | b56eea94d6f4660f1022464c82d0595c8ddf18fdd5977c6bc9dd7baae2c8090d188b418c1b6d2556e3b630823d526b27640d06fe8a5f6fffc776caa4907b2d30 |
C:\bridgeHyperCrt\OI0pwrYEs8WKMbQhaocS5DTAkNJim.bat
| MD5 | ae3ca8c85d0b24e4a5d8665f7cb83466 |
| SHA1 | cea7807241d92dca00ed5d9283e21142ffbbb14c |
| SHA256 | afddd637f38e2c904b3c6c717d6277fe9f9566e29f2940e371289ab259f4e869 |
| SHA512 | e3379655f409bd348fbcf61be7cba93627b0a3fb30cadc47f036e3fe03a69d2e9631d7339984ae426cbd5145db1c22a9aec5c98f5806ef0caf1bf69a412c1c99 |
\bridgeHyperCrt\Realtek HD Audio Universal Service.exe
| MD5 | 8b8ad5d190af5992165ab74f2c4d2539 |
| SHA1 | 4c7dcd839b39b6da31c575e6c0078b948c486ca0 |
| SHA256 | fa7c73b719b35f3ed6e23c1c1f216f9c344a3a95a46d9779ddb90cacbde81624 |
| SHA512 | eb957611286cc642dac606a2cd65ae49a67c15832f5383983dc65075d48ab7c4c74873a30cbf9ff024b29d0282b2e1e6e731365a78f23c912fbd5a799568aa0c |
memory/2552-13-0x0000000000B10000-0x0000000000D54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xC7r6FxMav.bat
| MD5 | 863ac2562decda84936abc14395bc993 |
| SHA1 | 9d67c3a49ad74df5b7608d6be0d09c81cb9d8757 |
| SHA256 | 49b7c7341e1617afc4c4e9dfe8c9626313abc1931a6de95018d7b572b4a8f76e |
| SHA512 | b1c0b121467dc3f7cb4712d91030479190b1738380d24ddc9c5fbb291dce55ab8da52fcec98658f987d31d24631ae842294789724d1600d6e44172d129c491ee |
memory/2600-57-0x0000000000E00000-0x0000000001044000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 10:03
Reported
2024-06-03 10:05
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\", \"C:\\bridgeHyperCrt\\Idle.exe\", \"C:\\Windows\\Speech\\Engines\\Lexicon\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\smss.exe\", \"C:\\bridgeHyperCrt\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\", \"C:\\bridgeHyperCrt\\Idle.exe\", \"C:\\Windows\\Speech\\Engines\\Lexicon\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\smss.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\", \"C:\\bridgeHyperCrt\\Idle.exe\", \"C:\\Windows\\Speech\\Engines\\Lexicon\\StartMenuExperienceHost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\", \"C:\\bridgeHyperCrt\\Idle.exe\", \"C:\\Windows\\Speech\\Engines\\Lexicon\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\smss.exe\", \"C:\\bridgeHyperCrt\\unsecapp.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\", \"C:\\bridgeHyperCrt\\Idle.exe\", \"C:\\Windows\\Speech\\Engines\\Lexicon\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\smss.exe\", \"C:\\bridgeHyperCrt\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\", \"C:\\bridgeHyperCrt\\Idle.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| N/A | N/A | C:\Windows\Downloaded Program Files\RuntimeBroker.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\bridgeHyperCrt\\unsecapp.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Speech\\Engines\\Lexicon\\StartMenuExperienceHost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\bridgeHyperCrt\\dllhost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\bridgeHyperCrt\\dllhost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\RuntimeBroker.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\LiveKernelReports\\wininit.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\smss.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\bridgeHyperCrt\\unsecapp.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\bridgeHyperCrt\\Idle.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\bridgeHyperCrt\\Idle.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Speech\\Engines\\Lexicon\\StartMenuExperienceHost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\RuntimeBroker.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\LiveKernelReports\\wininit.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\smss.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\"" | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\dotnet\swidtag\RuntimeBroker.exe | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Program Files\dotnet\swidtag\9e8d7a4ca61bd9 | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\dwm.exe | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\6cb0b6c459d5d3 | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9 | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\de-DE\088424020bedd6 | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\servicing\SQM\sysmon.exe | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Windows\LiveKernelReports\wininit.exe | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Windows\LiveKernelReports\56085415360792 | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\RuntimeBroker.exe | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\9e8d7a4ca61bd9 | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Windows\Speech\Engines\Lexicon\StartMenuExperienceHost.exe | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| File created | C:\Windows\Speech\Engines\Lexicon\55b276f4edf653 | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Downloaded Program Files\RuntimeBroker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Downloaded Program Files\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgeHyperCrt\FOAEdrh1BxsF.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgeHyperCrt\OI0pwrYEs8WKMbQhaocS5DTAkNJim.bat" "
C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe
"C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\bridgeHyperCrt\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\bridgeHyperCrt\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\bridgeHyperCrt\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\Engines\Lexicon\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\Lexicon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\Engines\Lexicon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\bridgeHyperCrt\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\bridgeHyperCrt\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\bridgeHyperCrt\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\bridgeHyperCrt\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\bridgeHyperCrt\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\bridgeHyperCrt\dllhost.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iDTAhKxGqm.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Downloaded Program Files\RuntimeBroker.exe
"C:\Windows\Downloaded Program Files\RuntimeBroker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a0984531.xsph.ru | udp |
| RU | 141.8.192.163:80 | a0984531.xsph.ru | tcp |
| RU | 141.8.192.163:80 | a0984531.xsph.ru | tcp |
| US | 8.8.8.8:53 | 163.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| RU | 141.8.192.163:80 | a0984531.xsph.ru | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\bridgeHyperCrt\FOAEdrh1BxsF.vbe
| MD5 | 91dfc7252bcd06d82af9f64190b08c7e |
| SHA1 | 4eea175d57c3631c0dab65cff1c325d59b5d34a8 |
| SHA256 | fdee20a4260f6ba25d38608473eb51910fd1780e104edc51b7feea672f23858b |
| SHA512 | b56eea94d6f4660f1022464c82d0595c8ddf18fdd5977c6bc9dd7baae2c8090d188b418c1b6d2556e3b630823d526b27640d06fe8a5f6fffc776caa4907b2d30 |
C:\bridgeHyperCrt\OI0pwrYEs8WKMbQhaocS5DTAkNJim.bat
| MD5 | ae3ca8c85d0b24e4a5d8665f7cb83466 |
| SHA1 | cea7807241d92dca00ed5d9283e21142ffbbb14c |
| SHA256 | afddd637f38e2c904b3c6c717d6277fe9f9566e29f2940e371289ab259f4e869 |
| SHA512 | e3379655f409bd348fbcf61be7cba93627b0a3fb30cadc47f036e3fe03a69d2e9631d7339984ae426cbd5145db1c22a9aec5c98f5806ef0caf1bf69a412c1c99 |
C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe
| MD5 | 8b8ad5d190af5992165ab74f2c4d2539 |
| SHA1 | 4c7dcd839b39b6da31c575e6c0078b948c486ca0 |
| SHA256 | fa7c73b719b35f3ed6e23c1c1f216f9c344a3a95a46d9779ddb90cacbde81624 |
| SHA512 | eb957611286cc642dac606a2cd65ae49a67c15832f5383983dc65075d48ab7c4c74873a30cbf9ff024b29d0282b2e1e6e731365a78f23c912fbd5a799568aa0c |
memory/2556-12-0x00007FFA96453000-0x00007FFA96455000-memory.dmp
memory/2556-13-0x0000000000060000-0x00000000002A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iDTAhKxGqm.bat
| MD5 | 253ba9d0dadc6cb11f3867524795fdc7 |
| SHA1 | b2522e63d2ccae0573115d9475c57e6ce6f3334d |
| SHA256 | f4bfcd9aea0d0e9e6e6ec7e64f802523dea418c0ac29997ace10dbce30129b9b |
| SHA512 | 584cf363ddccc4c45df42cd34702bea4de06abe643a84fe51817c9cf7b66eb708fdeafd7226284692be0a8a5fad6fe0b1e341f7f1179f003863c8fdb7afd5c69 |