Malware Analysis Report

2024-10-10 12:59

Sample ID 240603-zvxnraac58
Target 47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b
SHA256 47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b
Tags
dcrat execution infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b

Threat Level: Known bad

The file 47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b was found to be: Known bad.

Malicious Activity Summary

dcrat execution infostealer persistence rat

Dcrat family

Process spawned unexpected child process

DCRat payload

Modifies WinLogon for persistence

DcRat

Detects executables packed with SmartAssembly

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 21:02

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 21:02

Reported

2024-06-03 21:05

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\sppsvc.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\", \"C:\\Users\\All Users\\Favorites\\Idle.exe\", \"C:\\MSOCache\\All Users\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\sppsvc.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\", \"C:\\Users\\All Users\\Favorites\\Idle.exe\", \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\sppsvc.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\", \"C:\\Users\\All Users\\Favorites\\Idle.exe\", \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\lsm.exe\", \"C:\\Users\\All Users\\Package Cache\\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\\packages\\smss.exe\", \"C:\\Users\\Admin\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\sppsvc.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\sppsvc.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\sppsvc.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\", \"C:\\Users\\All Users\\Favorites\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\sppsvc.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\", \"C:\\Users\\All Users\\Favorites\\Idle.exe\", \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\sppsvc.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\", \"C:\\Users\\All Users\\Favorites\\Idle.exe\", \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\lsm.exe\", \"C:\\Users\\All Users\\Package Cache\\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\\packages\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\sppsvc.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\sppsvc.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\en-US\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\", \"C:\\Users\\All Users\\Favorites\\Idle.exe\", \"C:\\MSOCache\\All Users\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\spoolsv.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Favorites\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Mail\\en-US\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\All Users\\Package Cache\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Package Cache\\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\\packages\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Package Cache\\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\\packages\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Mail\\en-US\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Favorites\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\All Users\\Package Cache\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\en-US\RCX32A9.tmp C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\smss.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX2C9E.tmp C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\en-US\smss.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RCX34AD.tmp C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\winlogon.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\RCX30A6.tmp C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\winlogon.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\MSOCache\All Users\spoolsv.exe
PID 836 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\MSOCache\All Users\spoolsv.exe
PID 836 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\MSOCache\All Users\spoolsv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe

"C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Favorites\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\winlogon.exe'

C:\MSOCache\All Users\spoolsv.exe

"C:\MSOCache\All Users\spoolsv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0913612.xsph.ru udp
RU 141.8.197.42:80 a0913612.xsph.ru tcp
RU 141.8.197.42:80 a0913612.xsph.ru tcp

Files

memory/836-0-0x000007FEF5633000-0x000007FEF5634000-memory.dmp

memory/836-1-0x0000000000F80000-0x000000000117A000-memory.dmp

memory/836-2-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/836-3-0x00000000002C0000-0x00000000002CE000-memory.dmp

memory/836-4-0x00000000002D0000-0x00000000002D8000-memory.dmp

memory/836-5-0x00000000002E0000-0x00000000002FC000-memory.dmp

memory/836-6-0x0000000000490000-0x00000000004A0000-memory.dmp

memory/836-7-0x00000000004A0000-0x00000000004B6000-memory.dmp

memory/836-8-0x00000000004C0000-0x00000000004D0000-memory.dmp

memory/836-9-0x00000000004D0000-0x00000000004DC000-memory.dmp

memory/836-10-0x0000000000560000-0x0000000000572000-memory.dmp

memory/836-11-0x0000000000F60000-0x0000000000F6C000-memory.dmp

memory/836-12-0x0000000000F70000-0x0000000000F7C000-memory.dmp

memory/836-13-0x000000001AA30000-0x000000001AA38000-memory.dmp

memory/836-14-0x000000001A900000-0x000000001A90C000-memory.dmp

memory/836-15-0x000000001AA10000-0x000000001AA1E000-memory.dmp

memory/836-16-0x000000001AA20000-0x000000001AA28000-memory.dmp

memory/836-17-0x000000001AA40000-0x000000001AA4E000-memory.dmp

memory/836-18-0x000000001AA50000-0x000000001AA5C000-memory.dmp

memory/836-20-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/836-19-0x000000001AA60000-0x000000001AA6A000-memory.dmp

memory/836-21-0x000000001AE40000-0x000000001AE4C000-memory.dmp

C:\Program Files (x86)\Windows Mail\en-US\smss.exe

MD5 9eaaf55874f2f7c7d8dbab3258e925be
SHA1 ef5855e552f32f31e995c7a394493b4a2792208c
SHA256 47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b
SHA512 0f457fc3989c0264c81a5934c878f8022b18485323347fa4f937d3ef5b363c89a550e4bcdb4578f3f012a6051d118e5f8e0f58b81e2cb47517da505e23c4f050

C:\Users\Admin\RCX447D.tmp

MD5 6c8d2df45c2e31bf6480615baf76efa0
SHA1 be616e0983ba2602f00f3fe3a48269336bef84d3
SHA256 1b100c8f8c63ce133a4deb6cd8af87cbd29719b346a10816aff2c66523cc86a5
SHA512 55d70c18911b63c6cf9a7ea6f816e884e2e26273dbb0d31db0e2361e7381208baf7f6336be1236674e3d6bcb78ec346812eaf323e8638ad7ebe5fd4519ef020e

memory/2736-144-0x00000000012C0000-0x00000000014BA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 126043844309e56aa1bbc1ce0aa645d6
SHA1 c4f4dd79699025183a912dee3276dae7a2beb661
SHA256 0b286d7212668b612c8ac75e61208c9d36ea6638509b109f8dabfbf7e816d7e3
SHA512 a092a5b62eaf57b66550349e4f09351c448192701aac45969ccb91133fdc6a96e3c9520466116177288606b4185a794a8ebbd577444d3ca683a63bc3c89cc380

memory/1320-160-0x0000000001D10000-0x0000000001D18000-memory.dmp

memory/1320-156-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

memory/2736-181-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

memory/836-212-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2224-213-0x000007FEEBED0000-0x000007FEEC86D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 21:02

Reported

2024-06-03 21:05

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\PrintDialog\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\PrintDialog\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\Font\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\PrintDialog\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\Font\\services.exe\", \"C:\\Windows\\es-ES\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\PrintDialog\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\Font\\services.exe\", \"C:\\Windows\\es-ES\\Registry.exe\", \"C:\\Windows\\Fonts\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\PrintDialog\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\PrintDialog\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\PrintDialog\RuntimeBroker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\Font\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\es-ES\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\PrintDialog\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\PrintDialog\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\7-Zip\\Lang\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\es-ES\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\7-Zip\\Lang\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Fonts\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\Font\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Fonts\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\services.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Program Files\7-Zip\Lang\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\RCX5269.tmp C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\RCX56EF.tmp C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\services.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Program Files\Windows Multimedia Platform\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCX4DD3.tmp C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\PrintDialog\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Windows\Fonts\RCX5B65.tmp C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Windows\es-ES\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Windows\Fonts\wininit.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Windows\Fonts\56085415360792 C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Windows\PrintDialog\RCX4FD7.tmp C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Windows\es-ES\Registry.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Windows\Fonts\wininit.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Windows\PrintDialog\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Windows\PrintDialog\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File created C:\Windows\es-ES\Registry.exe C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
File opened for modification C:\Windows\es-ES\RCX5961.tmp C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\PrintDialog\RuntimeBroker.exe N/A
N/A N/A C:\Windows\PrintDialog\RuntimeBroker.exe N/A
N/A N/A C:\Windows\PrintDialog\RuntimeBroker.exe N/A
N/A N/A C:\Windows\PrintDialog\RuntimeBroker.exe N/A
N/A N/A C:\Windows\PrintDialog\RuntimeBroker.exe N/A
N/A N/A C:\Windows\PrintDialog\RuntimeBroker.exe N/A
N/A N/A C:\Windows\PrintDialog\RuntimeBroker.exe N/A
N/A N/A C:\Windows\PrintDialog\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4740 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\cmd.exe
PID 4740 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe C:\Windows\System32\cmd.exe
PID 3616 wrote to memory of 4276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3616 wrote to memory of 4276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3616 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Windows\PrintDialog\RuntimeBroker.exe
PID 3616 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Windows\PrintDialog\RuntimeBroker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe

"C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\PrintDialog\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\PrintDialog\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\es-ES\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Fonts\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\Registry.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\wininit.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UEsqB2SdHc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\PrintDialog\RuntimeBroker.exe

"C:\Windows\PrintDialog\RuntimeBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 a0913612.xsph.ru udp
RU 141.8.197.42:80 a0913612.xsph.ru tcp
RU 141.8.197.42:80 a0913612.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4740-0-0x0000000000BF0000-0x0000000000DEA000-memory.dmp

memory/4740-1-0x00007FFD614D3000-0x00007FFD614D5000-memory.dmp

memory/4740-2-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

memory/4740-3-0x0000000002EC0000-0x0000000002ECE000-memory.dmp

memory/4740-4-0x0000000002ED0000-0x0000000002ED8000-memory.dmp

memory/4740-5-0x000000001BA10000-0x000000001BA2C000-memory.dmp

memory/4740-6-0x000000001C0C0000-0x000000001C110000-memory.dmp

memory/4740-7-0x000000001BA30000-0x000000001BA40000-memory.dmp

memory/4740-8-0x000000001BA40000-0x000000001BA56000-memory.dmp

memory/4740-9-0x000000001BA60000-0x000000001BA70000-memory.dmp

memory/4740-10-0x000000001BA70000-0x000000001BA7C000-memory.dmp

memory/4740-11-0x000000001BA80000-0x000000001BA92000-memory.dmp

memory/4740-12-0x000000001C640000-0x000000001CB68000-memory.dmp

memory/4740-13-0x000000001C110000-0x000000001C11C000-memory.dmp

memory/4740-14-0x000000001C120000-0x000000001C12C000-memory.dmp

memory/4740-15-0x000000001C230000-0x000000001C238000-memory.dmp

memory/4740-19-0x000000001C370000-0x000000001C37E000-memory.dmp

memory/4740-21-0x000000001C380000-0x000000001C38C000-memory.dmp

memory/4740-22-0x000000001C390000-0x000000001C39A000-memory.dmp

memory/4740-20-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

memory/4740-23-0x000000001C3A0000-0x000000001C3AC000-memory.dmp

memory/4740-24-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

memory/4740-18-0x000000001C360000-0x000000001C368000-memory.dmp

memory/4740-17-0x000000001C250000-0x000000001C25E000-memory.dmp

memory/4740-16-0x000000001C240000-0x000000001C24C000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\services.exe

MD5 9eaaf55874f2f7c7d8dbab3258e925be
SHA1 ef5855e552f32f31e995c7a394493b4a2792208c
SHA256 47b6c064897a3ffb9fcabaf75ce71ec4af7df0e5eb44e61b11bd655cb828183b
SHA512 0f457fc3989c0264c81a5934c878f8022b18485323347fa4f937d3ef5b363c89a550e4bcdb4578f3f012a6051d118e5f8e0f58b81e2cb47517da505e23c4f050

memory/1652-102-0x0000015231FC0000-0x0000015231FE2000-memory.dmp

memory/4740-103-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o1tcxhgx.pa5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\UEsqB2SdHc.bat

MD5 9d037771af1ed574c582258b8f95ac3f
SHA1 6e89d7a74adac7236588878d499c71539c660cb4
SHA256 cf2f444b177b34384fc764b0ea5d77bce10365120027db95fc09e0cd6ecaeed6
SHA512 f4d47ca539681c651b78148773e1344bf614bb4aa8276af0b0db193b655bbc89583f9ae8712222eaa55c307817c6ad6dbe3c212fcc36afcb22ca11f6b338a780

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Windows\PrintDialog\RuntimeBroker.exe

MD5 97e62f1d922b3fce83e2cdfe9d50cf21
SHA1 45d7a56fe34f9d3f025c85cd0167f7a8c35628f8
SHA256 82091450a2c91dc000a6457e09083c7e8e9c71f5a1b6bc5eb5fabb35941fa39b
SHA512 0e494f3d3aba8c341a25c542ccab55ab9e90521cc3d9603b65f62147149c107075ac08907b1bd6d038fc352445e7603f90bcdc7024b165da5178795a9d718e8d

memory/2668-188-0x0000000000F80000-0x000000000117A000-memory.dmp