Malware Analysis Report

2024-11-13 13:46

Sample ID 240720-s441vssanj
Target 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe
SHA256 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147
Tags
rat dcrat infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147

Threat Level: Known bad

The file 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer persistence

Modifies WinLogon for persistence

DCRat payload

DcRat

Dcrat family

Process spawned unexpected child process

DCRat payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-20 15:41

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-20 15:41

Reported

2024-07-20 15:57

Platform

win10v2004-20240709-en

Max time kernel

593s

Max time network

589s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\", \"C:\\Windows\\fr-FR\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\", \"C:\\Windows\\fr-FR\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\", \"C:\\Windows\\fr-FR\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\", \"C:\\Windows\\fr-FR\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\", \"C:\\Windows\\fr-FR\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\", \"C:\\Windows\\fr-FR\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Users\\Public\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\", \"C:\\Windows\\ModemLogs\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\", \"C:\\Windows\\fr-FR\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\ModemLogs\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Photo Viewer\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\fr-FR\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\fr-FR\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Reference Assemblies\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Tasks\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Defender\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\ModemLogs\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Photo Viewer\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Reference Assemblies\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Tasks\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Mail\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\Downloads\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\SendTo\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Mail\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Photo Viewer\smss.exe C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Registry.exe C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File created C:\Program Files\Windows Mail\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File created C:\Program Files (x86)\Windows Defender\dwm.exe C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File created C:\Program Files (x86)\Windows Defender\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File created C:\Program Files (x86)\Windows Mail\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File created C:\Program Files\Windows Photo Viewer\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File created C:\Program Files\Windows Mail\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File created C:\Program Files\WindowsPowerShell\Configuration\Registration\lsass.exe C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File created C:\Program Files\WindowsPowerShell\Configuration\Registration\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File created C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
N/A N/A C:\Recovery\WindowsRE\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\WinSAT\DataStore\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Defender\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\unsecapp.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\WindowsPowerShell\Configuration\Registration\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Mail\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\fr-FR\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\WinSAT\DataStore\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\SendTo\fontdrvhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe

"C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\fr-FR\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Registry.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3NBm7OqwB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\unsecapp.exe

"C:\Recovery\WindowsRE\unsecapp.exe"

C:\Recovery\WindowsRE\spoolsv.exe

C:\Recovery\WindowsRE\spoolsv.exe

C:\Program Files (x86)\Reference Assemblies\Registry.exe

"C:\Program Files (x86)\Reference Assemblies\Registry.exe"

C:\Windows\Performance\WinSAT\DataStore\winlogon.exe

C:\Windows\Performance\WinSAT\DataStore\winlogon.exe

C:\Program Files (x86)\Windows Defender\dwm.exe

"C:\Program Files (x86)\Windows Defender\dwm.exe"

C:\Recovery\WindowsRE\unsecapp.exe

C:\Recovery\WindowsRE\unsecapp.exe

C:\Program Files\WindowsPowerShell\Configuration\Registration\lsass.exe

"C:\Program Files\WindowsPowerShell\Configuration\Registration\lsass.exe"

C:\Program Files\Windows Mail\StartMenuExperienceHost.exe

"C:\Program Files\Windows Mail\StartMenuExperienceHost.exe"

C:\Users\Admin\Downloads\RuntimeBroker.exe

C:\Users\Admin\Downloads\RuntimeBroker.exe

C:\Windows\fr-FR\sihost.exe

C:\Windows\fr-FR\sihost.exe

C:\Recovery\WindowsRE\spoolsv.exe

C:\Recovery\WindowsRE\spoolsv.exe

C:\Program Files (x86)\Reference Assemblies\Registry.exe

"C:\Program Files (x86)\Reference Assemblies\Registry.exe"

C:\Windows\Performance\WinSAT\DataStore\winlogon.exe

C:\Windows\Performance\WinSAT\DataStore\winlogon.exe

C:\Users\Default\SendTo\fontdrvhost.exe

C:\Users\Default\SendTo\fontdrvhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 a1006461.xsph.ru udp
RU 141.8.197.42:80 a1006461.xsph.ru tcp
RU 141.8.197.42:80 a1006461.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 141.8.197.42:80 a1006461.xsph.ru tcp
RU 141.8.197.42:80 a1006461.xsph.ru tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 141.8.197.42:80 a1006461.xsph.ru tcp
RU 141.8.197.42:80 a1006461.xsph.ru tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 141.8.197.42:80 a1006461.xsph.ru tcp
RU 141.8.197.42:80 a1006461.xsph.ru tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 141.8.197.42:80 a1006461.xsph.ru tcp
RU 141.8.197.42:80 a1006461.xsph.ru tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 141.8.197.42:80 a1006461.xsph.ru tcp
RU 141.8.197.42:80 a1006461.xsph.ru tcp

Files

memory/4696-0-0x00007FF8AD5A3000-0x00007FF8AD5A5000-memory.dmp

memory/4696-1-0x0000000000440000-0x000000000064E000-memory.dmp

memory/4696-2-0x00007FF8AD5A0000-0x00007FF8AE061000-memory.dmp

memory/4696-3-0x0000000002760000-0x000000000276E000-memory.dmp

memory/4696-4-0x00000000028A0000-0x00000000028A8000-memory.dmp

memory/4696-5-0x000000001B2E0000-0x000000001B336000-memory.dmp

memory/4696-6-0x00000000028B0000-0x00000000028BC000-memory.dmp

memory/4696-7-0x00000000028C0000-0x00000000028CC000-memory.dmp

memory/4696-8-0x000000001B380000-0x000000001B38C000-memory.dmp

memory/4696-11-0x00007FF8AD5A0000-0x00007FF8AE061000-memory.dmp

memory/4696-12-0x00007FF8AD5A0000-0x00007FF8AE061000-memory.dmp

C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\fontdrvhost.exe

MD5 6e4e01af6b88116f0c7331bba5e7b782
SHA1 756c0a5ea8aac86f41d118166452a011a608043c
SHA256 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147
SHA512 f49b6146f313624606a9eb80287c23c68aaefcf7ffafacba83a87b333b4388dd38a423a179b7bcb0e1d555873681b405c781faf68e2d7169fa7bcefe4a73874b

memory/4696-54-0x00007FF8AD5A0000-0x00007FF8AE061000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\q3NBm7OqwB.bat

MD5 db6c56559b8257f945f326fabaf44c25
SHA1 135af524ae2ce332a4e624450c9d5f23bfd806f2
SHA256 2f0a232de63b35b8b50831f2524c119e1bd433aa9c1ad72ed8ae745dfba1b34e
SHA512 f273bbb26ad07fc57fc3de00b135ac6d229985ebe3d505325c7746aef1bea7070283f51470589d6f4ed5be3ed6fb4c599963005a5c4854898b8cec0eb1a3039d

memory/4392-67-0x000000001B830000-0x000000001B932000-memory.dmp

memory/4448-73-0x000000001BD80000-0x000000001BE82000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

MD5 5cb90c90e96a3b36461ed44d339d02e5
SHA1 5508281a22cca7757bc4fbdb0a8e885c9f596a04
SHA256 34c15d8e79fef4bddec7e34f3426df3b68f8fc6deac29ea12d110f6c529fe3bb
SHA512 63735938c841c28824e3482559df18839930acc5ea8600b1074439b70a2f600a92f41593568e49991f25f079e7f7361b4f1678feadbf004f6e9e4d51d36598d4

memory/2504-79-0x000000001BA10000-0x000000001BB12000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-20 15:41

Reported

2024-07-20 15:57

Platform

win11-20240709-en

Max time kernel

421s

Max time network

425s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\backgroundTaskHost.exe\", \"C:\\Windows\\BrowserCore\\en-US\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\backgroundTaskHost.exe\", \"C:\\Windows\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Libraries\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\dllhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Libraries\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\BrowserCore\\en-US\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\BrowserCore\\en-US\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Libraries\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WindowsPowerShell\Modules\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\BrowserCore\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
File created C:\Windows\BrowserCore\en-US\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Libraries\dllhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe

"C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\BrowserCore\en-US\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f

C:\Users\Public\Libraries\dllhost.exe

"C:\Users\Public\Libraries\dllhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
RU 141.8.197.42:80 a1006461.xsph.ru tcp
RU 141.8.197.42:80 a1006461.xsph.ru tcp

Files

memory/1484-0-0x00007FFE01C33000-0x00007FFE01C35000-memory.dmp

memory/1484-1-0x0000000000EA0000-0x00000000010AE000-memory.dmp

memory/1484-2-0x00007FFE01C30000-0x00007FFE026F2000-memory.dmp

memory/1484-3-0x00000000031A0000-0x00000000031AE000-memory.dmp

memory/1484-5-0x000000001C8E0000-0x000000001C936000-memory.dmp

memory/1484-4-0x000000001BC60000-0x000000001BC68000-memory.dmp

memory/1484-6-0x000000001BC70000-0x000000001BC7C000-memory.dmp

memory/1484-7-0x000000001C930000-0x000000001C93C000-memory.dmp

memory/1484-8-0x000000001CB40000-0x000000001CB4C000-memory.dmp

memory/1484-11-0x00007FFE01C30000-0x00007FFE026F2000-memory.dmp

memory/1484-12-0x00007FFE01C30000-0x00007FFE026F2000-memory.dmp

memory/1484-13-0x00007FFE01C30000-0x00007FFE026F2000-memory.dmp

C:\Users\Public\Libraries\dllhost.exe

MD5 6e4e01af6b88116f0c7331bba5e7b782
SHA1 756c0a5ea8aac86f41d118166452a011a608043c
SHA256 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147
SHA512 f49b6146f313624606a9eb80287c23c68aaefcf7ffafacba83a87b333b4388dd38a423a179b7bcb0e1d555873681b405c781faf68e2d7169fa7bcefe4a73874b

memory/1484-29-0x00007FFE01C30000-0x00007FFE026F2000-memory.dmp