Malware Analysis Report

2024-10-10 12:49

Sample ID 240603-p9xbesfc6t
Target a452777147dc02f5d8ccacfc0502ac7c.exe
SHA256 c1fb621cbb84ba538603cae73960db7969ec4bde877e5692241c82ea25bdf644
Tags
dcrat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1fb621cbb84ba538603cae73960db7969ec4bde877e5692241c82ea25bdf644

Threat Level: Known bad

The file a452777147dc02f5d8ccacfc0502ac7c.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer persistence rat

Dcrat family

DCRat payload

Process spawned unexpected child process

DcRat

Modifies WinLogon for persistence

DCRat payload

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 13:02

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 13:02

Reported

2024-06-03 13:04

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\INF\a452777147dc02f5d8ccacfc0502ac7c.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\INF\2214ef2a712a98 C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\Containers\\serviced\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\conhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Windows Mail\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default User\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\Containers\\serviced\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\conhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Windows Mail\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Security\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\Containers\\serviced\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\conhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Windows Mail\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Security\\SppExtComObj.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Documents\\My Videos\\services.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\Containers\\serviced\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\conhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Windows Mail\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Security\\SppExtComObj.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Documents\\My Videos\\services.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\Containers\\serviced\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\Containers\\serviced\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\conhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Windows Mail\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\Containers\\serviced\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\conhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\Containers\\serviced\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\conhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Windows Mail\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Security\\SppExtComObj.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\Containers\\serviced\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\Containers\\serviced\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\conhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\Containers\\serviced\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\Containers\\serviced\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\conhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Windows Mail\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\Containers\\serviced\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\Containers\\serviced\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\conhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Windows Mail\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\Containers\\serviced\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\conhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Windows Mail\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Security\\SppExtComObj.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Documents\\My Videos\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Modules\WaaSMedicAgent.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a452777147dc02f5d8ccacfc0502ac7c = "\"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\Documents\\My Videos\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft\\conhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Containers\\serviced\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a452777147dc02f5d8ccacfc0502ac7c = "\"C:\\Recovery\\WindowsRE\\a452777147dc02f5d8ccacfc0502ac7c.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Mail\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\Documents\\My Videos\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Security\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Media Player\\Skins\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a452777147dc02f5d8ccacfc0502ac7c = "\"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft\\conhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Security\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a452777147dc02f5d8ccacfc0502ac7c = "\"C:\\Windows\\INF\\a452777147dc02f5d8ccacfc0502ac7c.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Containers\\serviced\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Mail\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Media Player\\Skins\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\c82b8037eab33d C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files (x86)\Microsoft\conhost.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\WaaSMedicAgent.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files\Windows Mail\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files\Windows Security\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Skins\dllhost.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files (x86)\Microsoft\088424020bedd6 C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files\Windows Security\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Skins\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files\Windows Mail\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\a452777147dc02f5d8ccacfc0502ac7c.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File opened for modification C:\Windows\INF\a452777147dc02f5d8ccacfc0502ac7c.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Windows\INF\2214ef2a712a98 C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Windows\Containers\serviced\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Windows\Containers\serviced\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Windows\LanguageOverlayCache\dwm.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\WindowsPowerShell\Modules\WaaSMedicAgent.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe

"C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a452777147dc02f5d8ccacfc0502ac7ca" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\a452777147dc02f5d8ccacfc0502ac7c.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a452777147dc02f5d8ccacfc0502ac7c" /sc ONLOGON /tr "'C:\Windows\INF\a452777147dc02f5d8ccacfc0502ac7c.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a452777147dc02f5d8ccacfc0502ac7ca" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\a452777147dc02f5d8ccacfc0502ac7c.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4yd0flkWu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe

"C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\Containers\serviced\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Containers\serviced\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a452777147dc02f5d8ccacfc0502ac7ca" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\a452777147dc02f5d8ccacfc0502ac7c.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a452777147dc02f5d8ccacfc0502ac7c" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\a452777147dc02f5d8ccacfc0502ac7c.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a452777147dc02f5d8ccacfc0502ac7ca" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\a452777147dc02f5d8ccacfc0502ac7c.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Security\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Documents\My Videos\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\My Videos\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Program Files (x86)\WindowsPowerShell\Modules\WaaSMedicAgent.exe

"C:\Program Files (x86)\WindowsPowerShell\Modules\WaaSMedicAgent.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 a0982894.xsph.ru udp
RU 141.8.192.126:80 a0982894.xsph.ru tcp
US 8.8.8.8:53 126.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1544-0-0x00007FFDCDDE3000-0x00007FFDCDDE5000-memory.dmp

memory/1544-1-0x00000000006C0000-0x0000000000796000-memory.dmp

memory/1544-4-0x00007FFDCDDE0000-0x00007FFDCE8A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\o4yd0flkWu.bat

MD5 6142b88585ebaa48f8b108cb558f4ac6
SHA1 d4d65ab602f3830c6cf249473385980c6c74d76d
SHA256 eb19f2b937f1b2f64d9a937982c9fdf356441a915bb0d63a5e90c6a4759a6ec6
SHA512 46f1c065f9bcad5f826297763e56ef1a531266c6800c428756ed035e3d05de6c6787abc91f1314de5c0ae5c6b0ceb820a85a6028106de217ebacdb90127131b0

memory/1544-13-0x00007FFDCDDE0000-0x00007FFDCE8A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a452777147dc02f5d8ccacfc0502ac7c.exe.log

MD5 7f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1 d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA512 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

C:\Recovery\WindowsRE\Idle.exe

MD5 a452777147dc02f5d8ccacfc0502ac7c
SHA1 da8810335c641f55872b90a6ea7f178a0875721c
SHA256 c1fb621cbb84ba538603cae73960db7969ec4bde877e5692241c82ea25bdf644
SHA512 5015d12dac1a4a6825dcd01adf04b9ea307b3654e851bf07e41087f4ebb1b744b67c397eb0af282b3452cae5849266c7e00c2e41537795d7c78e5c043012d760

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 13:02

Reported

2024-06-03 13:04

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\de-DE\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\de-DE\\spoolsv.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\de-DE\\spoolsv.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\de-DE\\spoolsv.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\MSOCache\All Users\System.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\DVD Maker\\de-DE\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\DVD Maker\\de-DE\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\de-DE\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File opened for modification C:\Program Files\DVD Maker\de-DE\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files\DVD Maker\de-DE\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
N/A N/A C:\MSOCache\All Users\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\System.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe

"C:\Users\Admin\AppData\Local\Temp\a452777147dc02f5d8ccacfc0502ac7c.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\de-DE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\de-DE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f

C:\MSOCache\All Users\System.exe

"C:\MSOCache\All Users\System.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0982894.xsph.ru udp
RU 141.8.192.126:80 a0982894.xsph.ru tcp

Files

memory/1996-0-0x000007FEF5543000-0x000007FEF5544000-memory.dmp

memory/1996-1-0x00000000011C0000-0x0000000001296000-memory.dmp

memory/1996-2-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

C:\MSOCache\All Users\System.exe

MD5 a452777147dc02f5d8ccacfc0502ac7c
SHA1 da8810335c641f55872b90a6ea7f178a0875721c
SHA256 c1fb621cbb84ba538603cae73960db7969ec4bde877e5692241c82ea25bdf644
SHA512 5015d12dac1a4a6825dcd01adf04b9ea307b3654e851bf07e41087f4ebb1b744b67c397eb0af282b3452cae5849266c7e00c2e41537795d7c78e5c043012d760

memory/308-17-0x00000000011A0000-0x0000000001276000-memory.dmp

memory/1996-18-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp