Malware Analysis Report

2024-11-15 05:52

Sample ID 240721-qa36csteqp
Target c830d62f6f45993891816dee47dee340N.exe
SHA256 2338d4f0154b4295202b61eafb9c5e457112de784325f6fc38a587be668024e3
Tags
rat dcrat execution infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2338d4f0154b4295202b61eafb9c5e457112de784325f6fc38a587be668024e3

Threat Level: Known bad

The file c830d62f6f45993891816dee47dee340N.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat execution infostealer persistence

Process spawned unexpected child process

DcRat

Dcrat family

DCRat payload

Modifies WinLogon for persistence

DCRat payload

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 13:04

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 13:04

Reported

2024-07-21 13:06

Platform

win7-20240708-en

Max time kernel

26s

Max time network

26s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Windows\\PLA\\dllhost.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Windows\\PLA\\dllhost.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\ja-JP\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\", \"C:\\Users\\Default User\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Windows\\PLA\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Windows\\PLA\\dllhost.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Default User\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\winlogon.exe\", \"C:\\Program Files\\Microsoft Games\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\", \"C:\\Users\\Public\\Desktop\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Windows\\PLA\\dllhost.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\ja-JP\\csrss.exe\", \"C:\\Windows\\Registration\\CRMLog\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Desktop\csrss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Reference Assemblies\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\PLA\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\PLA\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Common Files\\System\\ja-JP\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Reference Assemblies\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\c830d62f6f45993891816dee47dee340N = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Desktop\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Common Files\\System\\ja-JP\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Microsoft Games\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Desktop\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Registration\\CRMLog\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Microsoft Games\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c830d62f6f45993891816dee47dee340N = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\c830d62f6f45993891816dee47dee340N.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Registration\\CRMLog\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\wininit.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Program Files\Microsoft Games\wininit.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Program Files (x86)\Common Files\System\ja-JP\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\winlogon.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\plugin2\csrss.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Program Files (x86)\Common Files\System\ja-JP\csrss.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\RCXBA5C.tmp C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Program Files\Microsoft Games\RCXBC60.tmp C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXD111.tmp C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Program Files\Microsoft Games\56085415360792 C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Program Files\Reference Assemblies\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Program Files\Java\jre7\bin\plugin2\csrss.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Program Files\Java\jre7\bin\plugin2\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\plugin2\RCXC5B6.tmp C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ja-JP\RCXD315.tmp C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ja-JP\csrss.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Program Files\Reference Assemblies\winlogon.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PLA\dllhost.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Windows\PLA\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Windows\Registration\CRMLog\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Windows\Registration\CRMLog\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Windows\PLA\RCXCC9C.tmp C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Windows\PLA\dllhost.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Windows\Registration\CRMLog\RCXD519.tmp C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Windows\Registration\CRMLog\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\Desktop\csrss.exe N/A
N/A N/A C:\Users\Public\Desktop\csrss.exe N/A
N/A N/A C:\Users\Public\Desktop\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Users\Public\Desktop\csrss.exe
PID 2104 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Users\Public\Desktop\csrss.exe
PID 2104 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Users\Public\Desktop\csrss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe

"C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c830d62f6f45993891816dee47dee340Nc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c830d62f6f45993891816dee47dee340N.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c830d62f6f45993891816dee47dee340N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c830d62f6f45993891816dee47dee340N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c830d62f6f45993891816dee47dee340Nc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c830d62f6f45993891816dee47dee340N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PLA\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\ja-JP\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\System\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\c830d62f6f45993891816dee47dee340N.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\OSPPSVC.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\ja-JP\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\sppsvc.exe'

C:\Users\Public\Desktop\csrss.exe

"C:\Users\Public\Desktop\csrss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0996046.xsph.ru udp
RU 141.8.195.33:80 a0996046.xsph.ru tcp

Files

memory/2104-0-0x000007FEF5413000-0x000007FEF5414000-memory.dmp

memory/2104-1-0x00000000012D0000-0x0000000001482000-memory.dmp

memory/2104-2-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

memory/2104-3-0x0000000000250000-0x000000000025E000-memory.dmp

memory/2104-4-0x0000000000260000-0x000000000027C000-memory.dmp

memory/2104-5-0x0000000000280000-0x0000000000288000-memory.dmp

memory/2104-6-0x0000000000310000-0x0000000000320000-memory.dmp

memory/2104-8-0x0000000000340000-0x000000000034C000-memory.dmp

memory/2104-7-0x0000000000320000-0x0000000000336000-memory.dmp

memory/2104-9-0x00000000003D0000-0x00000000003D8000-memory.dmp

memory/2104-11-0x00000000003E0000-0x00000000003EC000-memory.dmp

memory/2104-12-0x0000000000600000-0x000000000060C000-memory.dmp

memory/2104-13-0x0000000000610000-0x000000000061C000-memory.dmp

memory/2104-14-0x0000000000620000-0x000000000062E000-memory.dmp

memory/2104-15-0x0000000000630000-0x0000000000638000-memory.dmp

memory/2104-16-0x0000000000640000-0x000000000064E000-memory.dmp

memory/2104-17-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

memory/2104-20-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

C:\Users\Public\Desktop\csrss.exe

MD5 c830d62f6f45993891816dee47dee340
SHA1 4284963ed30b687ccd47a2d69e6809e4290f0c78
SHA256 2338d4f0154b4295202b61eafb9c5e457112de784325f6fc38a587be668024e3
SHA512 d7870eca65c6b6b25b3f7dd788414afd64c075db9bdd1d8b099e932ab571449fe20126d5bde0bd3aaebd2c10ac4160c6ffee1899d8b2b37874f0a996af886fdc

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RCXC3B3.tmp

MD5 568c52e6cf24db35c0ac1f9670d4d140
SHA1 570037d5dc3065eed9d17e038d1d198059e931de
SHA256 ed1baeb845d9a797d0ad874e5271589aee3159fdb36ce933be9ea9bffcb07c0b
SHA512 dac10fba93b0945ea87b958d3fdaede7a4a9fcd12b6a817a5b1e63e221d4e01c19ac09937566b1959b50768d2d792076554a11de9eb38a50500e0fa1a2b4141a

C:\Windows\Registration\CRMLog\sppsvc.exe

MD5 2ede430f50b682d2d3e340d92547a65e
SHA1 a1157d983acad4868e6bbc0908856d8795f228b6
SHA256 cea6be492ab545395a1ef0d92c2448138c2ebeba131ee8ec8a25105b7cfa266d
SHA512 b71797a71af23bc58d48d7e29836c1f6cd86b7de36d5f95577d63a64844d251ae6df8997ca339e90d21f85ce2e8f8946ba1ad27a65113b7c5a8f700260e504d0

C:\Users\Public\Desktop\csrss.exe

MD5 671cbf574660490e11c8f5e698b1aa54
SHA1 cff58e3c6f7faa1e0c2a082e310ed75ae08294e0
SHA256 60b1d8eab5594894957691472c1e6a863f43a9b359cb89b2f284f4df5f431bd0
SHA512 0ab5b2212c46e2d843b8d8a7dc7461285dc41201400bcc4cd826233e509ab0c5fcff5ca05b4ac09c9caffbab41480511660631e7120bd32d593e51299d03b8b7

memory/2628-152-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

memory/2904-153-0x00000000012F0000-0x00000000014A2000-memory.dmp

memory/2628-151-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 3bf78b8b0495c97db5ca9a1647618545
SHA1 5e56bbe546846dfe735f2c9c4fb0d7fb47c0e9be
SHA256 75f57294cbcdb58c135e18fc3ed9a43f4d31d1fa54cc7b2eeec40f05fe4980b2
SHA512 b0f51f40105ee4ab470321586cc87ffa36d81a4662dc752473ca22eeba48dccd6dfdbf2dfbcf321b2360d71a48cfc98dcf26e242488b20d97146c36cb35b63f0

memory/2104-155-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-21 13:04

Reported

2024-07-21 13:06

Platform

win10v2004-20240709-en

Max time kernel

107s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\taskhostw.exe\", \"C:\\Windows\\addins\\winlogon.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\taskhostw.exe\", \"C:\\Windows\\addins\\winlogon.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\csrss.exe\", \"C:\\Windows\\Panther\\setup.exe\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\taskhostw.exe\", \"C:\\Windows\\addins\\winlogon.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\csrss.exe\", \"C:\\Windows\\Panther\\setup.exe\\SearchApp.exe\", \"C:\\Users\\Admin\\OneDrive\\c830d62f6f45993891816dee47dee340N.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\taskhostw.exe\", \"C:\\Windows\\addins\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Windows\Panther\setup.exe\SearchApp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\Panther\\setup.exe\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c830d62f6f45993891816dee47dee340N = "\"C:\\Users\\Admin\\OneDrive\\c830d62f6f45993891816dee47dee340N.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\addins\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\addins\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\Panther\\setup.exe\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c830d62f6f45993891816dee47dee340N = "\"C:\\Users\\Admin\\OneDrive\\c830d62f6f45993891816dee47dee340N.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX9DF7.tmp C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RCX9FFC.tmp C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXA405.tmp C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Panther\setup.exe\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Windows\Panther\setup.exe\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Windows\Panther\setup.exe\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Windows\addins\winlogon.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File created C:\Windows\addins\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Windows\addins\RCXA201.tmp C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
File opened for modification C:\Windows\addins\winlogon.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1428 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe
PID 1428 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe
PID 1548 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1548 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1548 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1548 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1548 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1548 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1548 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\Panther\setup.exe\SearchApp.exe
PID 1548 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe C:\Windows\Panther\setup.exe\SearchApp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe

"C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\addins\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'

C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe

"C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\setup.exe\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\setup.exe\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c830d62f6f45993891816dee47dee340Nc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\OneDrive\c830d62f6f45993891816dee47dee340N.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c830d62f6f45993891816dee47dee340N" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\c830d62f6f45993891816dee47dee340N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c830d62f6f45993891816dee47dee340Nc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\OneDrive\c830d62f6f45993891816dee47dee340N.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c830d62f6f45993891816dee47dee340N.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\setup.exe\SearchApp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive\c830d62f6f45993891816dee47dee340N.exe'

C:\Windows\Panther\setup.exe\SearchApp.exe

"C:\Windows\Panther\setup.exe\SearchApp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 a0996046.xsph.ru udp
RU 141.8.195.33:80 a0996046.xsph.ru tcp
US 8.8.8.8:53 33.195.8.141.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1428-0-0x00007FFF03BF3000-0x00007FFF03BF5000-memory.dmp

memory/1428-1-0x0000000000930000-0x0000000000AE2000-memory.dmp

memory/1428-2-0x00007FFF03BF0000-0x00007FFF046B1000-memory.dmp

memory/1428-3-0x0000000001440000-0x000000000144E000-memory.dmp

memory/1428-4-0x0000000001450000-0x000000000146C000-memory.dmp

memory/1428-5-0x00000000014C0000-0x0000000001510000-memory.dmp

memory/1428-9-0x00000000014B0000-0x00000000014BC000-memory.dmp

memory/1428-12-0x0000000001520000-0x000000000152C000-memory.dmp

memory/1428-10-0x0000000001510000-0x0000000001518000-memory.dmp

memory/1428-8-0x0000000001490000-0x00000000014A6000-memory.dmp

memory/1428-7-0x0000000001480000-0x0000000001490000-memory.dmp

memory/1428-6-0x0000000001470000-0x0000000001478000-memory.dmp

memory/1428-13-0x0000000002DE0000-0x0000000002DEC000-memory.dmp

memory/1428-14-0x0000000002DF0000-0x0000000002DFC000-memory.dmp

memory/1428-18-0x0000000002E30000-0x0000000002E3C000-memory.dmp

memory/1428-17-0x0000000002E20000-0x0000000002E2E000-memory.dmp

memory/1428-16-0x0000000002E10000-0x0000000002E18000-memory.dmp

memory/1428-15-0x0000000002E00000-0x0000000002E0E000-memory.dmp

memory/1428-21-0x00007FFF03BF0000-0x00007FFF046B1000-memory.dmp

memory/1428-22-0x00007FFF03BF0000-0x00007FFF046B1000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe

MD5 c830d62f6f45993891816dee47dee340
SHA1 4284963ed30b687ccd47a2d69e6809e4290f0c78
SHA256 2338d4f0154b4295202b61eafb9c5e457112de784325f6fc38a587be668024e3
SHA512 d7870eca65c6b6b25b3f7dd788414afd64c075db9bdd1d8b099e932ab571449fe20126d5bde0bd3aaebd2c10ac4160c6ffee1899d8b2b37874f0a996af886fdc

memory/3464-74-0x00000289F3160000-0x00000289F3182000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ntfnwd1v.rtl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1428-126-0x00007FFF03BF0000-0x00007FFF046B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\c830d62f6f45993891816dee47dee340N.exe.log

MD5 7800fca2323a4130444c572374a030f4
SHA1 40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa
SHA256 29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e
SHA512 c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b4b6d4cc52b5a3a71149b1f33d94d5de
SHA1 97d3dbdd24919eab70e3b14c68797cefc07e90dd
SHA256 da8c02ce00d5b1e6d4c3667465c7bbc14d7cd5227eb634f3d9690afd488267fe
SHA512 fc894f03709b83df7d2fca2779e1e60549078b67bcdbff0b61c8e5a802982210ae971309c1f92577573299288963ab5c95c6b38cbaedf53dc6062812c57a97af

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5cfe303e798d1cc6c1dab341e7265c15
SHA1 cd2834e05191a24e28a100f3f8114d5a7708dc7c
SHA256 c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab
SHA512 ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e