Malware Analysis Report

2024-10-10 13:00

Sample ID 240617-qb3k8asane
Target 524b2b64f6d71da4fe34437ce40975da.exe
SHA256 9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e

Threat Level: Known bad

The file 524b2b64f6d71da4fe34437ce40975da.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

Process spawned unexpected child process

Dcrat family

DCRat payload

DCRat payload

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 13:06

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 13:06

Reported

2024-06-17 13:08

Platform

win7-20240611-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Journal\lsass.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Journal\lsass.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files (x86)\Internet Explorer\en-US\explorer.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files\7-Zip\Lang\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\services.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files (x86)\Internet Explorer\en-US\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files\7-Zip\Lang\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\taskhost.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files\Common Files\524b2b64f6d71da4fe34437ce40975da.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files\Windows Journal\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files\Common Files\cf8a4467a76829 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\debug\lsm.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\debug\101b941d020240 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\Vss\Writers\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\Vss\Writers\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\RemotePackages\RemoteDesktops\winlogon.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\RemotePackages\RemoteDesktops\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\Boot\PCAT\ru-RU\Idle.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Journal\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe C:\Windows\System32\cmd.exe
PID 2204 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe C:\Windows\System32\cmd.exe
PID 2204 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe C:\Windows\System32\cmd.exe
PID 2792 wrote to memory of 1236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2792 wrote to memory of 1236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2792 wrote to memory of 1236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2792 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe
PID 2792 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe
PID 2792 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe
PID 2876 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe
PID 2876 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe
PID 2876 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe
PID 2652 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe C:\Windows\System32\cmd.exe
PID 2652 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe C:\Windows\System32\cmd.exe
PID 2652 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe C:\Windows\System32\cmd.exe
PID 2032 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2032 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2032 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2032 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Journal\lsass.exe
PID 2032 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Journal\lsass.exe
PID 2032 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Journal\lsass.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe

"C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wfNKgTND0E.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe

"C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\lsass.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe

"C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\reports\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\Crashpad\reports\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\debug\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteDesktops\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteDesktops\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "524b2b64f6d71da4fe34437ce40975da5" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\524b2b64f6d71da4fe34437ce40975da.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "524b2b64f6d71da4fe34437ce40975da" /sc ONLOGON /tr "'C:\Users\Admin\524b2b64f6d71da4fe34437ce40975da.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "524b2b64f6d71da4fe34437ce40975da5" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\524b2b64f6d71da4fe34437ce40975da.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "524b2b64f6d71da4fe34437ce40975da5" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\PrintHood\524b2b64f6d71da4fe34437ce40975da.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "524b2b64f6d71da4fe34437ce40975da" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\524b2b64f6d71da4fe34437ce40975da.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "524b2b64f6d71da4fe34437ce40975da5" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\524b2b64f6d71da4fe34437ce40975da.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Music\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Music\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "524b2b64f6d71da4fe34437ce40975da5" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\524b2b64f6d71da4fe34437ce40975da.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "524b2b64f6d71da4fe34437ce40975da" /sc ONLOGON /tr "'C:\Program Files\Common Files\524b2b64f6d71da4fe34437ce40975da.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "524b2b64f6d71da4fe34437ce40975da5" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\524b2b64f6d71da4fe34437ce40975da.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1VpA9Xf5Nx.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Journal\lsass.exe

"C:\Program Files\Windows Journal\lsass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 a0994622.xsph.ru udp
RU 141.8.192.58:80 a0994622.xsph.ru tcp

Files

memory/2204-18-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wfNKgTND0E.bat

MD5 1d9d83d6abadad1d8ceb4a7f02557ab7
SHA1 df4cfc31f699e877da57abbf4ab86d99d4c53e9c
SHA256 88bee7641f50ac970cf73d751e70837a86cad75bef2cf19f48fc62b0110366b1
SHA512 c84b92ed2c822a0fee97f02565a45f4708340ff7a627f1105cb187587d28f38adf3740403044d899a6dc59ef3fe7f4b156a7de26ce3842cf38864f1b325ab481

C:\Program Files (x86)\Internet Explorer\en-US\explorer.exe

MD5 524b2b64f6d71da4fe34437ce40975da
SHA1 a3c9bc5e512ad28a45b2e9f23e3cd58a5aa6f4bc
SHA256 9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e
SHA512 38f71021fb59f80bb08fa60c35d792192e57ea216d2299b8e060aee64d1c79eafa381b8715276560b9306fa696cf05cda41b46ee194a27c6346504de5d5c9a40

memory/2204-2-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

memory/2204-1-0x0000000000E70000-0x0000000000F46000-memory.dmp

memory/2204-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\6203df4a6bafc7

MD5 28b2429ca47e2e115c00499af35bebdc
SHA1 3ca10f52014090b5d49987fc8ceede7d5e52fb6d
SHA256 329fcae15a87ec6eff0503d6cfddf13ffb555bdf4505c16d8a1e889788b75ea6
SHA512 f99cef5ec74bdc1eda7be3875ff1e57d3e50649c80b30aea92ab1ca58f6b8fd312ab980b265d96f80d0cef0425222fca86753d7c210d39c842cb2bc51b94e825

C:\Users\Admin\AppData\Local\Temp\1VpA9Xf5Nx.bat

MD5 b488b7e7ba24060d6ca70a0ef78e478f
SHA1 c08b9107a198027e39cf7f5fca3a5046de956dfd
SHA256 d406c3ef8b98e43f9ffbff436917eb78cc3e56bb349a84867960501abf7a776b
SHA512 2e9d78a97b3f3af98e0174aa7b91a3ba594abfacf7d9e79b62f7d0c372e81acc9ae780584ec3e62013ddacc79b5150d8ff429c6ac332ab90cd693735df6918ff

memory/2224-70-0x0000000000CB0000-0x0000000000D86000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 13:06

Reported

2024-06-17 13:08

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\de-DE\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\dotnet\swidtag\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\RemotePackages\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Default User\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Default User\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Default User\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Default User\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Default User\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Default User\spoolsv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Default User\spoolsv.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\swidtag\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files\Windows Mail\csrss.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files (x86)\Windows Defender\Registry.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files\dotnet\swidtag\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\dllhost.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files\dotnet\swidtag\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files (x86)\Windows Defender\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files\Windows Mail\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\RemotePackages\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\InputMethod\SHARED\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\IdentityCRL\production\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\CbsTemp\csrss.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\CbsTemp\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\IdentityCRL\production\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\de-DE\explorer.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\de-DE\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\RemotePackages\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
File created C:\Windows\InputMethod\SHARED\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Default User\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Default User\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Default User\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Default User\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Default User\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Default User\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Default User\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
N/A N/A C:\Users\Default User\spoolsv.exe N/A
N/A N/A C:\Users\Default User\spoolsv.exe N/A
N/A N/A C:\Users\Default User\spoolsv.exe N/A
N/A N/A C:\Users\Default User\spoolsv.exe N/A
N/A N/A C:\Users\Default User\spoolsv.exe N/A
N/A N/A C:\Users\Default User\spoolsv.exe N/A
N/A N/A C:\Users\Default User\spoolsv.exe N/A
N/A N/A C:\Users\Default User\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4720 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe C:\Windows\System32\cmd.exe
PID 4720 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe C:\Windows\System32\cmd.exe
PID 4988 wrote to memory of 1684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4988 wrote to memory of 1684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4988 wrote to memory of 4488 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe
PID 4988 wrote to memory of 4488 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe
PID 4488 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe
PID 4488 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe
PID 2700 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe C:\Users\Default User\spoolsv.exe
PID 2700 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe C:\Users\Default User\spoolsv.exe
PID 4992 wrote to memory of 4380 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4992 wrote to memory of 4380 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4380 wrote to memory of 604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4380 wrote to memory of 604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4380 wrote to memory of 3020 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\spoolsv.exe
PID 4380 wrote to memory of 3020 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\spoolsv.exe
PID 3020 wrote to memory of 4788 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\cmd.exe
PID 3020 wrote to memory of 4788 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4788 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4788 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4788 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\spoolsv.exe
PID 4788 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\spoolsv.exe
PID 1944 wrote to memory of 708 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\cmd.exe
PID 1944 wrote to memory of 708 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\cmd.exe
PID 708 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 708 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 708 wrote to memory of 948 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\spoolsv.exe
PID 708 wrote to memory of 948 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\spoolsv.exe
PID 948 wrote to memory of 1276 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\cmd.exe
PID 948 wrote to memory of 1276 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\cmd.exe
PID 1276 wrote to memory of 4804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1276 wrote to memory of 4804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1276 wrote to memory of 3984 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\spoolsv.exe
PID 1276 wrote to memory of 3984 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\spoolsv.exe
PID 3984 wrote to memory of 4208 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\cmd.exe
PID 3984 wrote to memory of 4208 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4208 wrote to memory of 1616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4208 wrote to memory of 1616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4208 wrote to memory of 4308 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\spoolsv.exe
PID 4208 wrote to memory of 4308 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\spoolsv.exe
PID 4308 wrote to memory of 2248 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4308 wrote to memory of 2248 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\cmd.exe
PID 2248 wrote to memory of 4536 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2248 wrote to memory of 4536 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2248 wrote to memory of 1828 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\spoolsv.exe
PID 2248 wrote to memory of 1828 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\spoolsv.exe
PID 1828 wrote to memory of 4204 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\cmd.exe
PID 1828 wrote to memory of 4204 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4204 wrote to memory of 4056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4204 wrote to memory of 4056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4204 wrote to memory of 872 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\spoolsv.exe
PID 4204 wrote to memory of 872 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\spoolsv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe

"C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\swidtag\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\swidtag\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\de-DE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\RemotePackages\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ypvlDQDbiO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe

"C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\PrintHood\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\PrintHood\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Start Menu\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe

"C:\Users\Admin\AppData\Local\Temp\524b2b64f6d71da4fe34437ce40975da.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\CbsTemp\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\CbsTemp\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\CbsTemp\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\IdentityCRL\production\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\IdentityCRL\production\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Users\Default User\spoolsv.exe

"C:\Users\Default User\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\spoolsv.exe

"C:\Users\Default User\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\spoolsv.exe

"C:\Users\Default User\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\spoolsv.exe

"C:\Users\Default User\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\spoolsv.exe

"C:\Users\Default User\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\spoolsv.exe

"C:\Users\Default User\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\spoolsv.exe

"C:\Users\Default User\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\spoolsv.exe

"C:\Users\Default User\spoolsv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp

Files

memory/4720-0-0x00007FFE80DA3000-0x00007FFE80DA5000-memory.dmp

memory/4720-1-0x00000000003D0000-0x00000000004A6000-memory.dmp

memory/4720-4-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\backgroundTaskHost.exe

MD5 524b2b64f6d71da4fe34437ce40975da
SHA1 a3c9bc5e512ad28a45b2e9f23e3cd58a5aa6f4bc
SHA256 9657907c0c8253e461b6c8eaf27b0b491ff0f93be69849db50fa6ee5474d507e
SHA512 38f71021fb59f80bb08fa60c35d792192e57ea216d2299b8e060aee64d1c79eafa381b8715276560b9306fa696cf05cda41b46ee194a27c6346504de5d5c9a40

memory/4720-20-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ypvlDQDbiO.bat

MD5 3444e3a1c8e1e74ac6ef544c37e23f64
SHA1 daa867b2232b397a1a17fec74a23a5f7bb512a49
SHA256 cf7bb0783e239b753ab00593f8548715f72dd1d5266f96d42cf4d7d77957cc8e
SHA512 09730d5fa7103ae6b3ab6fe314836446250778ff03675ad495ce8c931df81eee0f3cd5884ebb49982a1d1ac0597c2d4468eb589dc6a75fc191b5a3b7a2946f6a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\524b2b64f6d71da4fe34437ce40975da.exe.log

MD5 7f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1 d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA512 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat

MD5 fdfac5acb8c0c4c5f784ab8154f55a91
SHA1 8100d85625c2808d764fe8023782f53ffaf4de74
SHA256 2ce2fe1b1cfcfd463d4c4966aca527913977977596d22feff02f64f82a065b3f
SHA512 e84f69ade484b5436814a0b03794b59178bdbcea126b7f6593124e670979feba056fddf0655a9f0c6b95da4f3d89412f8c5a8918642630404020c5e9178f48ca

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/3020-80-0x000000001C670000-0x000000001C7DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat

MD5 6f5f52258929c0babce3083ec4142e0f
SHA1 3469e051805a12b0094df6e2f8afbe4aa7baf617
SHA256 c1ab96a8d3f089808a57f348d39417a7fa508e469a50d76452d08793ebc3bb71
SHA512 aebc77bea3acb1defbe733c5490c03fbf479b85b1c79d0f87e72ad4c74ab6e06d81ee273f2527e477867003789d7cd2566f63c054c9e99868f90e59a783578e9

C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat

MD5 e8add6605224092ff3eebf74767d0728
SHA1 fcf9856af1783288eafde4ac41580065c685e082
SHA256 15e0f6adb484b72e9838119b70336d36b37824b07a032c898bdcb7ad0baeb37d
SHA512 421344ed7a2b77599bb61b7a2d1e12da2a70a45105626c07fc422cfe7fd4b26dd1c5a982bea981631d061ff4925351a5a9ee4b23ee3aa4a4d8058faa058d20d5

memory/948-93-0x000000001C670000-0x000000001C7DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat

MD5 2d842c6a1b3fecd00e3a67eefa0a754c
SHA1 78174afb5988c80ffa6a4969d540dfa4ed31ca2d
SHA256 dd70b721df48d33657b5f8d9dc026ef02d42ee77d4a6b055881e9105b1861af5
SHA512 cf79934c222b507c1c438210bb29f052d4a9ac34cfb9d73316859aacc687ccc58ed19ea1787fb425bf52e215b621a08a930583a258f9dee54fca3d547ea532a0

C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat

MD5 c044bbe54c3aa21f1335904159347ab5
SHA1 752a18ff681acc5bcd4566978142453ac9c8b0e0
SHA256 cd70a38db755b21301de38a1884136851979b54c5b416782695e870d1d544e1a
SHA512 464f362ca7c0e92d792f1a7c483c86eba8e7e7c76e929aab48485083e4d0168c7ce0a5a6c6e0b7655074b7459ad916da4715bfd03b693d99f7b6f127c4498c33

C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat

MD5 6557aa1e59950599f9e6f4317b228200
SHA1 7e59faa33648ee4b24800d60691f500ba5a2eccb
SHA256 b5e48e56882ed44bba4e549b2cc0de3873a1749dfd1d994afb863aa39bb6de96
SHA512 d481ccd9bdf8f98c35e12dc4f2ff43b307b794368fc8564bd0aa8e73bc8f062aff4879b713ea6c8f711b35b0aec5d21b0321108224720d999b53d88832b1469d

C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat

MD5 fda85088fa81a0308ba08520065044a0
SHA1 f4d47056605da6e4d050ec35bf1c6e71ff4c8a09
SHA256 3250a247ae9bd457e5b4c0e4f2d0167b4f152ad51b2626c128076d1d4aec409a
SHA512 09ec2995199be6ac5ad478af1000a26a2c523fae719e5c170116de13ac93ebf5f2157464937971a8af0189328fa21c2a26e9da40a4ff4974792ee72053bca1a5