Malware Analysis Report

2024-10-10 13:03

Sample ID 240618-vldr3ascqa
Target 5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe
SHA256 5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db
Tags
rat dcrat evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db

Threat Level: Known bad

The file 5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer persistence spyware stealer trojan

DcRat

Modifies WinLogon for persistence

Process spawned unexpected child process

Dcrat family

DCRat payload

UAC bypass

DCRat payload

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

System policy modification

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 17:04

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 17:04

Reported

2024-06-18 17:06

Platform

win7-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\dwm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\dwm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\lsm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\dwm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\lsm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\dllhost.exe\", \"C:\\Windows\\Logs\\CBS\\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\lsass.exe\", \"C:\\Users\\Default\\Application Data\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\dwm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\lsm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\dllhost.exe\", \"C:\\Windows\\Logs\\CBS\\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\dwm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\lsm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\dllhost.exe\", \"C:\\Windows\\Logs\\CBS\\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\dwm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\lsm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\dllhost.exe\", \"C:\\Windows\\Logs\\CBS\\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\lsass.exe\", \"C:\\Users\\Default\\Application Data\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\dwm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\lsm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\dllhost.exe\", \"C:\\Windows\\Logs\\CBS\\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\lsass.exe\", \"C:\\Users\\Default\\Application Data\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\dwm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\lsm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\dllhost.exe\", \"C:\\Windows\\Logs\\CBS\\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\lsass.exe\", \"C:\\Users\\Default\\Application Data\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\csrss.exe\", \"C:\\Users\\All Users\\Favorites\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\dwm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\lsm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\dwm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\lsm.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Services\lsass.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Favorites\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\Application Data\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Media Player\\it-IT\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db = "\"C:\\Windows\\Logs\\CBS\\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Common Files\\Services\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\Application Data\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Favorites\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db = "\"C:\\Windows\\Logs\\CBS\\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Common Files\\Services\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Media Player\\it-IT\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\fc26e022-289f-11ef-a973-46d84c032646\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Services\lsass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File created C:\Program Files (x86)\Common Files\Services\lsass.exe C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File created C:\Program Files (x86)\Common Files\Services\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\8ce57e9e94c96f C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\csrss.exe C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File created C:\Windows\Logs\CBS\8ce57e9e94c96f C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe C:\Windows\System32\cmd.exe
PID 2044 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe C:\Windows\System32\cmd.exe
PID 2044 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe C:\Windows\System32\cmd.exe
PID 2132 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2132 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2132 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2132 wrote to memory of 1760 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Common Files\Services\lsass.exe
PID 2132 wrote to memory of 1760 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Common Files\Services\lsass.exe
PID 2132 wrote to memory of 1760 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Common Files\Services\lsass.exe
PID 1760 wrote to memory of 2440 N/A C:\Program Files (x86)\Common Files\Services\lsass.exe C:\Windows\System32\WScript.exe
PID 1760 wrote to memory of 2440 N/A C:\Program Files (x86)\Common Files\Services\lsass.exe C:\Windows\System32\WScript.exe
PID 1760 wrote to memory of 2440 N/A C:\Program Files (x86)\Common Files\Services\lsass.exe C:\Windows\System32\WScript.exe
PID 1760 wrote to memory of 1740 N/A C:\Program Files (x86)\Common Files\Services\lsass.exe C:\Windows\System32\WScript.exe
PID 1760 wrote to memory of 1740 N/A C:\Program Files (x86)\Common Files\Services\lsass.exe C:\Windows\System32\WScript.exe
PID 1760 wrote to memory of 1740 N/A C:\Program Files (x86)\Common Files\Services\lsass.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Services\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Services\lsass.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe

"C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db5" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\CBS\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db5" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\CBS\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Application Data\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Application Data\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db5" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db5" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\it-IT\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Favorites\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VXkPT9VgOb.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Common Files\Services\lsass.exe

"C:\Program Files (x86)\Common Files\Services\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72d9c7e8-b11e-4727-8b04-6e723aa2b11f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c20ce27d-03ee-4fdb-82f1-17faf6eb4566.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0992097.xsph.ru udp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp

Files

memory/2044-0-0x000007FEF5203000-0x000007FEF5204000-memory.dmp

memory/2044-1-0x0000000000E40000-0x000000000119A000-memory.dmp

memory/2044-2-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

memory/2044-3-0x00000000001C0000-0x00000000001CE000-memory.dmp

memory/2044-4-0x00000000001D0000-0x00000000001D8000-memory.dmp

memory/2044-5-0x00000000002F0000-0x000000000030C000-memory.dmp

memory/2044-6-0x00000000001E0000-0x00000000001E8000-memory.dmp

memory/2044-7-0x0000000000310000-0x0000000000320000-memory.dmp

memory/2044-8-0x00000000003A0000-0x00000000003B6000-memory.dmp

memory/2044-9-0x00000000003C0000-0x00000000003C8000-memory.dmp

memory/2044-10-0x0000000000600000-0x0000000000612000-memory.dmp

memory/2044-11-0x00000000003D0000-0x00000000003DC000-memory.dmp

memory/2044-12-0x00000000005F0000-0x00000000005F8000-memory.dmp

memory/2044-13-0x0000000000610000-0x0000000000620000-memory.dmp

memory/2044-14-0x0000000000620000-0x000000000062A000-memory.dmp

memory/2044-15-0x0000000000DB0000-0x0000000000E06000-memory.dmp

memory/2044-16-0x0000000000630000-0x000000000063C000-memory.dmp

memory/2044-17-0x0000000000C70000-0x0000000000C78000-memory.dmp

memory/2044-18-0x0000000000C80000-0x0000000000C8C000-memory.dmp

memory/2044-19-0x0000000000D10000-0x0000000000D18000-memory.dmp

memory/2044-20-0x0000000000D20000-0x0000000000D32000-memory.dmp

memory/2044-21-0x0000000000E20000-0x0000000000E2C000-memory.dmp

memory/2044-22-0x0000000000E30000-0x0000000000E3C000-memory.dmp

memory/2044-23-0x00000000025A0000-0x00000000025A8000-memory.dmp

memory/2044-24-0x00000000025B0000-0x00000000025BC000-memory.dmp

memory/2044-25-0x00000000025C0000-0x00000000025CC000-memory.dmp

memory/2044-26-0x00000000025D0000-0x00000000025D8000-memory.dmp

memory/2044-27-0x00000000025E0000-0x00000000025EC000-memory.dmp

memory/2044-28-0x00000000025F0000-0x00000000025FA000-memory.dmp

memory/2044-29-0x0000000002600000-0x000000000260E000-memory.dmp

memory/2044-30-0x0000000002610000-0x0000000002618000-memory.dmp

memory/2044-31-0x0000000002620000-0x000000000262E000-memory.dmp

memory/2044-32-0x0000000002630000-0x0000000002638000-memory.dmp

memory/2044-33-0x000000001AAC0000-0x000000001AACC000-memory.dmp

memory/2044-34-0x000000001AAD0000-0x000000001AAD8000-memory.dmp

memory/2044-35-0x000000001AAE0000-0x000000001AAEA000-memory.dmp

memory/2044-36-0x000000001AAF0000-0x000000001AAFC000-memory.dmp

C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\dllhost.exe

MD5 20ba93789eb7001ba9e4842bcc69fe62
SHA1 4f2de529f2094f978d35cfb040cbd6e7c6274f98
SHA256 5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db
SHA512 327f2a7900f9900a6fb6f86f46efb8936b0327142f8e7120cd9d3db7b87b762c2288971b48ffe8fd3ec2e751f492652fb87da8197becf9b30e59b3d9247934b1

C:\Users\Admin\AppData\Local\Temp\VXkPT9VgOb.bat

MD5 c51dae164f12700f226c003acfd4e0b2
SHA1 9c9611517b9a2b09df5d1cd7cb504e7c0d164c69
SHA256 28536acc1a0786f800cfb4f623deabd2fcc78b313f1414554a3d26d46349242c
SHA512 40f0e604ab1047c41a9ae54166dcbf98e5dbff6325529001c7e19921623198c94a1594deb5eb60113b84a2385a843797a748cf56abbb86727e30fb7134e3db4a

memory/2044-64-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

memory/1760-67-0x0000000001290000-0x00000000015EA000-memory.dmp

memory/1760-68-0x0000000000B60000-0x0000000000B72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\72d9c7e8-b11e-4727-8b04-6e723aa2b11f.vbs

MD5 a956edbbfe5aaa6266bcb9e75a89a66d
SHA1 5bee4e31ad5c6489289b67c38c08afef0be946ca
SHA256 58812e75a8555a1ee7d164b55e11e7a7d561b8c65ffff0ab3db2bcdbddf4e409
SHA512 a640273f46734c00cb6537612e2b215dd4e7cb00a0a47b6061db48e1a2ec385515370c21804d79470ce28ac095d7192e364be29780ec0cd3f28d4c19fd9e27fc

C:\Users\Admin\AppData\Local\Temp\c20ce27d-03ee-4fdb-82f1-17faf6eb4566.vbs

MD5 7c2a85514fc3639e7df2c308b131d764
SHA1 2b6dcdb5bcf84433f8973353cd32f6675856c986
SHA256 3fb39f43052a2151d8903288f0bbccedbd537fea3ff2bbac0f522b22a1148019
SHA512 fcdb50a5d3038f1ae67eb5419f4b31ca72092ad2b2b4453203e051698710b911637527381d954fe7d2615508e167886b6b1e3259ea8ed6267adb7de30414fc00

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 17:04

Reported

2024-06-18 17:06

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Windows\\Provisioning\\Cosa\\MO\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\MSBuild\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\MSBuild\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\Provisioning\\Cosa\\MO\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\Provisioning\\Cosa\\MO\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\assembly\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\assembly\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MSBuild\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File created C:\Program Files\Uninstall Information\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File created C:\Program Files\Uninstall Information\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File created C:\Program Files (x86)\MSBuild\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Idle.exe C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File opened for modification C:\Windows\assembly\Idle.exe C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File created C:\Windows\assembly\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File created C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
File created C:\Windows\Provisioning\Cosa\MO\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe

"C:\Users\Admin\AppData\Local\Temp\5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\assembly\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe

"C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a35c696-8351-417d-9a00-78c3d5284f73.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee75aa4b-6447-4173-8eeb-a388bd6f3843.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
BE 23.41.178.123:443 www.bing.com tcp
US 8.8.8.8:53 123.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 a0992097.xsph.ru udp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
US 8.8.8.8:53 udp

Files

memory/812-0-0x00007FFC9C9C3000-0x00007FFC9C9C5000-memory.dmp

memory/812-1-0x0000000000920000-0x0000000000C7A000-memory.dmp

memory/812-2-0x00007FFC9C9C0000-0x00007FFC9D481000-memory.dmp

memory/812-3-0x00000000015A0000-0x00000000015AE000-memory.dmp

memory/812-4-0x00000000015B0000-0x00000000015B8000-memory.dmp

memory/812-5-0x0000000002EE0000-0x0000000002EFC000-memory.dmp

memory/812-6-0x000000001BF60000-0x000000001BFB0000-memory.dmp

memory/812-8-0x0000000002F00000-0x0000000002F10000-memory.dmp

memory/812-7-0x0000000002EC0000-0x0000000002EC8000-memory.dmp

memory/812-9-0x0000000002F10000-0x0000000002F26000-memory.dmp

memory/812-10-0x000000001BF10000-0x000000001BF18000-memory.dmp

memory/812-11-0x000000001BF20000-0x000000001BF32000-memory.dmp

memory/812-12-0x000000001BF30000-0x000000001BF3C000-memory.dmp

memory/812-13-0x000000001BF40000-0x000000001BF48000-memory.dmp

memory/812-14-0x000000001BF50000-0x000000001BF60000-memory.dmp

memory/812-15-0x000000001C0B0000-0x000000001C0BA000-memory.dmp

memory/812-16-0x000000001C0C0000-0x000000001C116000-memory.dmp

memory/812-17-0x000000001C110000-0x000000001C11C000-memory.dmp

memory/812-18-0x000000001C120000-0x000000001C128000-memory.dmp

memory/812-19-0x000000001C130000-0x000000001C13C000-memory.dmp

memory/812-20-0x000000001C140000-0x000000001C148000-memory.dmp

memory/812-21-0x000000001C150000-0x000000001C162000-memory.dmp

memory/812-22-0x000000001C6B0000-0x000000001CBD8000-memory.dmp

memory/812-23-0x000000001C180000-0x000000001C18C000-memory.dmp

memory/812-24-0x000000001C190000-0x000000001C19C000-memory.dmp

memory/812-26-0x000000001C1B0000-0x000000001C1BC000-memory.dmp

memory/812-25-0x000000001C1A0000-0x000000001C1A8000-memory.dmp

memory/812-27-0x000000001C1C0000-0x000000001C1CC000-memory.dmp

memory/812-29-0x000000001C2E0000-0x000000001C2EC000-memory.dmp

memory/812-28-0x000000001C2D0000-0x000000001C2D8000-memory.dmp

memory/812-30-0x000000001C2F0000-0x000000001C2FA000-memory.dmp

memory/812-33-0x000000001C420000-0x000000001C42E000-memory.dmp

memory/812-32-0x000000001C410000-0x000000001C418000-memory.dmp

memory/812-31-0x000000001C400000-0x000000001C40E000-memory.dmp

memory/812-35-0x000000001C440000-0x000000001C44C000-memory.dmp

memory/812-34-0x000000001C430000-0x000000001C438000-memory.dmp

memory/812-37-0x000000001C460000-0x000000001C46A000-memory.dmp

memory/812-36-0x000000001C450000-0x000000001C458000-memory.dmp

memory/812-38-0x000000001C470000-0x000000001C47C000-memory.dmp

C:\Windows\Provisioning\Cosa\MO\OfficeClickToRun.exe

MD5 20ba93789eb7001ba9e4842bcc69fe62
SHA1 4f2de529f2094f978d35cfb040cbd6e7c6274f98
SHA256 5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db
SHA512 327f2a7900f9900a6fb6f86f46efb8936b0327142f8e7120cd9d3db7b87b762c2288971b48ffe8fd3ec2e751f492652fb87da8197becf9b30e59b3d9247934b1

memory/812-60-0x00007FFC9C9C0000-0x00007FFC9D481000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ee75aa4b-6447-4173-8eeb-a388bd6f3843.vbs

MD5 3fdd587776d3b6e40390633c79a86008
SHA1 843c1d97e8f619e0c6a03daffcd6c1ae589fd8e9
SHA256 b824944612e7c9258da2fde907d3dc8ba5124245bdf97ad3d4cdfd4e1662c9d5
SHA512 ed4da84715737df5776d245e991a50ba318792b1489662d488179f9c1e7c980bc3cf280095eb66c0c061df188650659e50059a0b35f525741cfa5e029137ff33

C:\Users\Admin\AppData\Local\Temp\2a35c696-8351-417d-9a00-78c3d5284f73.vbs

MD5 fdca45fb5e0b7c40c0f3b9826dfdcda4
SHA1 fabcaf4d10a3bd8cbe1de928a55d89e109d0a333
SHA256 9a2c7106b5b44b44f36ef832974255c0184c6728a546e260ab33ded99a24d0bb
SHA512 1877ae46a99afac3e924b272ddd53bdd3aab072766f711c3ba619406ecaa0aef0d3b6459db5d0fe5cf331d71ade4daecb321b2d47bf8d1e87cd194631100d5a0

memory/968-70-0x000000001E1C0000-0x000000001E382000-memory.dmp