Malware Analysis Report

2024-11-15 05:52

Sample ID 240722-c6fs2sxhjm
Target 40ac7d11ebb91612d8d5c16c05af0a13.exe
SHA256 4963827ab4881382f900255fa034f5c5f369cdc11d30863c69a04ed7f6abca5e
Tags
rat dcrat infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4963827ab4881382f900255fa034f5c5f369cdc11d30863c69a04ed7f6abca5e

Threat Level: Known bad

The file 40ac7d11ebb91612d8d5c16c05af0a13.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer persistence

DCRat payload

Process spawned unexpected child process

DcRat

Dcrat family

Modifies WinLogon for persistence

DCRat payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 02:41

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 02:41

Reported

2024-07-22 02:43

Platform

win7-20240704-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\wininit.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\", \"C:\\Windows\\PolicyDefinitions\\ja-JP\\winlogon.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\wininit.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\", \"C:\\Windows\\PolicyDefinitions\\ja-JP\\winlogon.exe\", \"C:\\Users\\Default\\Links\\taskhost.exe\", \"C:\\componentCommon\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\smss.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\wininit.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\", \"C:\\Windows\\PolicyDefinitions\\ja-JP\\winlogon.exe\", \"C:\\Users\\Default\\Links\\taskhost.exe\", \"C:\\componentCommon\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\OSPPSVC.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\wininit.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\wininit.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\wininit.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\", \"C:\\Windows\\PolicyDefinitions\\ja-JP\\winlogon.exe\", \"C:\\Users\\Default\\Links\\taskhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\wininit.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\", \"C:\\Windows\\PolicyDefinitions\\ja-JP\\winlogon.exe\", \"C:\\Users\\Default\\Links\\taskhost.exe\", \"C:\\componentCommon\\winlogon.exe\"" C:\componentCommon\ComInto.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\componentCommon\ComInto.exe N/A
N/A N/A C:\Users\Admin\Local Settings\wininit.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComInto = "\"C:\\Users\\Default User\\ComInto.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\Local Settings\\wininit.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\smss.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Start Menu\\audiodg.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Local Settings\\lsass.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default\\Links\\taskhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\OSPPSVC.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\componentCommon\\sppsvc.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\componentCommon\\sppsvc.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\PolicyDefinitions\\ja-JP\\winlogon.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\componentCommon\\winlogon.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\smss.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ComInto = "\"C:\\Users\\Default User\\ComInto.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\Local Settings\\wininit.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\PolicyDefinitions\\ja-JP\\winlogon.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\componentCommon\\winlogon.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Start Menu\\audiodg.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Local Settings\\lsass.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default\\Links\\taskhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\OSPPSVC.exe\"" C:\componentCommon\ComInto.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\Media Renderer\smss.exe C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\69ddcba757bf72 C:\componentCommon\ComInto.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\conhost.exe C:\componentCommon\ComInto.exe N/A
File created C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\088424020bedd6 C:\componentCommon\ComInto.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\winlogon.exe C:\componentCommon\ComInto.exe N/A
File created C:\Windows\PolicyDefinitions\ja-JP\cc11b995f2a76d C:\componentCommon\ComInto.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\Local Settings\wininit.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\Local Settings\wininit.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Local Settings\wininit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\componentCommon\ComInto.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Local Settings\wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe C:\Windows\SysWOW64\WScript.exe
PID 2556 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe C:\Windows\SysWOW64\WScript.exe
PID 2556 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe C:\Windows\SysWOW64\WScript.exe
PID 2556 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe C:\Windows\SysWOW64\WScript.exe
PID 2292 wrote to memory of 1404 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1404 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1404 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1404 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\componentCommon\ComInto.exe
PID 1404 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\componentCommon\ComInto.exe
PID 1404 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\componentCommon\ComInto.exe
PID 1404 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\componentCommon\ComInto.exe
PID 2088 wrote to memory of 2136 N/A C:\componentCommon\ComInto.exe C:\Windows\System32\cmd.exe
PID 2088 wrote to memory of 2136 N/A C:\componentCommon\ComInto.exe C:\Windows\System32\cmd.exe
PID 2088 wrote to memory of 2136 N/A C:\componentCommon\ComInto.exe C:\Windows\System32\cmd.exe
PID 2136 wrote to memory of 2440 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2136 wrote to memory of 2440 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2136 wrote to memory of 2440 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2136 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Local Settings\wininit.exe
PID 2136 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Local Settings\wininit.exe
PID 2136 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Local Settings\wininit.exe
PID 2548 wrote to memory of 2556 N/A C:\Users\Admin\Local Settings\wininit.exe C:\Windows\System32\WScript.exe
PID 2548 wrote to memory of 2556 N/A C:\Users\Admin\Local Settings\wininit.exe C:\Windows\System32\WScript.exe
PID 2548 wrote to memory of 2556 N/A C:\Users\Admin\Local Settings\wininit.exe C:\Windows\System32\WScript.exe
PID 2548 wrote to memory of 2148 N/A C:\Users\Admin\Local Settings\wininit.exe C:\Windows\System32\WScript.exe
PID 2548 wrote to memory of 2148 N/A C:\Users\Admin\Local Settings\wininit.exe C:\Windows\System32\WScript.exe
PID 2548 wrote to memory of 2148 N/A C:\Users\Admin\Local Settings\wininit.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe

"C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\componentCommon\TsZJDcKjHujznUYiyXhQefVwV2.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\componentCommon\j1nvYpGjbyEFrc.bat" "

C:\componentCommon\ComInto.exe

"C:\componentCommon\ComInto.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ComIntoC" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\ComInto.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ComInto" /sc ONLOGON /tr "'C:\Users\Default User\ComInto.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ComIntoC" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\ComInto.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\componentCommon\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\componentCommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\componentCommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Local Settings\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\ja-JP\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\ja-JP\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Links\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Links\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\componentCommon\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\componentCommon\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\componentCommon\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Media Renderer\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Media Renderer\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gmjwMz7FMV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\Local Settings\wininit.exe

"C:\Users\Admin\Local Settings\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c51487f-3437-4245-b467-1e6b69ff926d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d367d19-e695-46d1-831c-52f7dc49389f.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ct54429.tw1.ru udp
RU 185.114.247.170:80 ct54429.tw1.ru tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
RU 185.114.247.170:80 ct54429.tw1.ru tcp

Files

C:\componentCommon\TsZJDcKjHujznUYiyXhQefVwV2.vbe

MD5 e986ea5d4cac976a6de65d3f1ef8b332
SHA1 6465da0abcfac05b8ed1f32b9cca57e2e2f54aea
SHA256 3ad8783bacfea22158df341d1bbedf8f6f0dcc4d9504555b36a756d2fcd83831
SHA512 896934c1a2941a8edfd38b03a858fc589cfb6622ae75019a542638be0c9c4e436aacd0916196dd71442d1a90404afa29d2864c92401222ff5ec2a712d873fa11

C:\componentCommon\j1nvYpGjbyEFrc.bat

MD5 a0b9b0891c2cae67cd1beae705d09d4f
SHA1 997953188d6226de19faa0ab4e8fdbddf1fb5617
SHA256 13593fab7a2113730fdbe4cbf436dde9a26116cda0bd4a33dff27d5678e9f9fc
SHA512 bdcd0c6a765c3927180706f7b30f2ea0f7cab6f27e512433839ebe3f6cb148923a6733ae954c24fa6eedeca97b8dc01cae945eea07e1121ff74885a69b34f2bb

\componentCommon\ComInto.exe

MD5 9a0cee5a5ce317b7a70f88bb6aaa49e1
SHA1 95a779063656075a8ddc2f2164393fa59e3c93d9
SHA256 701924dd5d93b99a1e90fcd92f399c4453455e78375125f7a06aca20b84956bc
SHA512 d9c6240b6809c3decbdf4d97aca246f308670097b704b47449c53d8dc121f391d3ec6596f7947c36a01a388eeefe6f9ac9785698cf743f8a89c7cbf7b9da41a4

memory/2088-13-0x0000000000BB0000-0x0000000000D5C000-memory.dmp

memory/2088-14-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/2088-15-0x0000000000A20000-0x0000000000A3C000-memory.dmp

memory/2088-16-0x00000000003E0000-0x00000000003E8000-memory.dmp

memory/2088-18-0x00000000004E0000-0x00000000004E8000-memory.dmp

memory/2088-17-0x0000000000A40000-0x0000000000A56000-memory.dmp

memory/2088-19-0x0000000000A60000-0x0000000000A70000-memory.dmp

memory/2088-20-0x0000000000A70000-0x0000000000A78000-memory.dmp

memory/2088-21-0x0000000000A80000-0x0000000000A92000-memory.dmp

memory/2088-22-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

memory/2088-23-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

memory/2088-24-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

memory/2088-25-0x0000000000B60000-0x0000000000B6E000-memory.dmp

memory/2088-26-0x0000000000B70000-0x0000000000B7C000-memory.dmp

memory/2088-27-0x0000000000B80000-0x0000000000B8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gmjwMz7FMV.bat

MD5 a519014f7c570c368279419a676eeb98
SHA1 08da53bbf7ee157856cde9a0e9923640e75f1029
SHA256 c552c6bea4c9b475f1dbbbdb1dda4350081e271040bcf3be6bd0d5137bc3cae0
SHA512 2fcf11d77623e061c228b5b9072e7771d368e31cd45b74981a621722af15c834770e4ddc8ec83b009cf8e06c8460468f32ac1c43bf0fed268da82b212d3a7cb7

memory/2548-61-0x0000000000D80000-0x0000000000F2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0c51487f-3437-4245-b467-1e6b69ff926d.vbs

MD5 7d485ef6fadddd9785eac7bfc3defa63
SHA1 54a9f1db23eb49e846dc25c7a0e14e6a2dc1d666
SHA256 f91c4bf31f14c8b6396bfb2b0d216cea5cb8479a57955ffa9ec32043875f5f45
SHA512 fe65b3f42370df42efa2dfecfbcb431b9cbaf013c148a49693407440f1955ae1bac1c0d7cafa9c698e34de957b74609725d7ff59abaeb1bb8dd8fb7440285cae

C:\Users\Admin\AppData\Local\Temp\6d367d19-e695-46d1-831c-52f7dc49389f.vbs

MD5 997a9496842abd3a663c879eec7ba910
SHA1 35773e9b4c9cf1a8127a0382494ba3ee933c953a
SHA256 38ad21df386af0bda426225ac5a800f5f2a5cf905d3f5e6784c47d15a7edf63d
SHA512 d0506e3157d49533b21cd874d7e0048986763d98fdcef72dc48208fc42d983bca7f7fd043e50b2e37ad4a2167757a2e1e6d10e9fd9d9fc54e5688225e698ba83

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 02:41

Reported

2024-07-22 02:43

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Windows Defender\en-US\56085415360792 C:\componentCommon\ComInto.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\SearchApp.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Windows\\tracing\\spoolsv.exe\", \"C:\\componentCommon\\RuntimeBroker.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Windows\\tracing\\spoolsv.exe\", \"C:\\componentCommon\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Windows\\tracing\\spoolsv.exe\", \"C:\\componentCommon\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\", \"C:\\Program Files\\Windows Mail\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Windows\\tracing\\spoolsv.exe\", \"C:\\componentCommon\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\", \"C:\\Program Files\\Windows Mail\\unsecapp.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Windows\\tracing\\spoolsv.exe\"" C:\componentCommon\ComInto.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\componentCommon\ComInto.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Defender\dllhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\componentCommon\ComInto.exe N/A
N/A N/A C:\Program Files (x86)\Windows Defender\dllhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\debug\\taskhostw.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Setup\\State\\dllhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\VideoLAN\\SearchApp.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Desktop\\dllhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Windows Security\\upfc.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Admin\\Registry.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\componentCommon\\RuntimeBroker.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Desktop\\dllhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\tracing\\spoolsv.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\WindowsRE\\cmd.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\componentCommon\\Idle.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Mail\\unsecapp.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\WindowsRE\\cmd.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Setup\\State\\dllhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\componentCommon\\Idle.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Windows Security\\upfc.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Mail\\unsecapp.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Admin\\Registry.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\VideoLAN\\SearchApp.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\tracing\\spoolsv.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\componentCommon\\RuntimeBroker.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\debug\\taskhostw.exe\"" C:\componentCommon\ComInto.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Security\ea1d8f6d871115 C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\Windows Photo Viewer\es-ES\5940a34987c991 C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\Windows Mail\29c1c3cc0f7685 C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\Windows Defender\en-US\wininit.exe C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\ea1d8f6d871115 C:\componentCommon\ComInto.exe N/A
File created C:\Program Files (x86)\Google\Temp\Registry.exe C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\Windows Security\upfc.exe C:\componentCommon\ComInto.exe N/A
File created C:\Program Files (x86)\Windows Defender\5940a34987c991 C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\Windows Mail\unsecapp.exe C:\componentCommon\ComInto.exe N/A
File opened for modification C:\Program Files\Windows Defender\en-US\wininit.exe C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\Windows Defender\en-US\56085415360792 C:\componentCommon\ComInto.exe N/A
File created C:\Program Files (x86)\Google\Temp\ee2ad38f3d4382 C:\componentCommon\ComInto.exe N/A
File created C:\Program Files (x86)\Windows Defender\dllhost.exe C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe C:\componentCommon\ComInto.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe C:\componentCommon\ComInto.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\886983d96e3d3e C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\VideoLAN\SearchApp.exe C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\VideoLAN\38384e6a620884 C:\componentCommon\ComInto.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\debug\taskhostw.exe C:\componentCommon\ComInto.exe N/A
File created C:\Windows\debug\ea9f0e6c9e2dcd C:\componentCommon\ComInto.exe N/A
File created C:\Windows\Setup\State\dllhost.exe C:\componentCommon\ComInto.exe N/A
File created C:\Windows\Setup\State\5940a34987c991 C:\componentCommon\ComInto.exe N/A
File created C:\Windows\tracing\spoolsv.exe C:\componentCommon\ComInto.exe N/A
File created C:\Windows\tracing\f3b6ecef712a24 C:\componentCommon\ComInto.exe N/A
File created C:\Windows\servicing\FodMetadata\dllhost.exe C:\componentCommon\ComInto.exe N/A
File created C:\Windows\ImmersiveControlPanel\uk-UA\Registry.exe C:\componentCommon\ComInto.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Program Files (x86)\Windows Defender\dllhost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Defender\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\componentCommon\ComInto.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Defender\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4604 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe C:\Windows\SysWOW64\WScript.exe
PID 4604 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe C:\Windows\SysWOW64\WScript.exe
PID 4604 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe C:\Windows\SysWOW64\WScript.exe
PID 2548 wrote to memory of 4428 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 4428 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 4428 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\componentCommon\ComInto.exe
PID 4428 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\componentCommon\ComInto.exe
PID 3972 wrote to memory of 2800 N/A C:\componentCommon\ComInto.exe C:\Program Files (x86)\Windows Defender\dllhost.exe
PID 3972 wrote to memory of 2800 N/A C:\componentCommon\ComInto.exe C:\Program Files (x86)\Windows Defender\dllhost.exe
PID 2800 wrote to memory of 116 N/A C:\Program Files (x86)\Windows Defender\dllhost.exe C:\Windows\System32\WScript.exe
PID 2800 wrote to memory of 116 N/A C:\Program Files (x86)\Windows Defender\dllhost.exe C:\Windows\System32\WScript.exe
PID 2800 wrote to memory of 1896 N/A C:\Program Files (x86)\Windows Defender\dllhost.exe C:\Windows\System32\WScript.exe
PID 2800 wrote to memory of 1896 N/A C:\Program Files (x86)\Windows Defender\dllhost.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe

"C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\componentCommon\TsZJDcKjHujznUYiyXhQefVwV2.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\componentCommon\j1nvYpGjbyEFrc.bat" "

C:\componentCommon\ComInto.exe

"C:\componentCommon\ComInto.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\en-US\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\en-US\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Security\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\componentCommon\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\componentCommon\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\componentCommon\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\debug\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Setup\State\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\componentCommon\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\componentCommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\componentCommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Windows Defender\dllhost.exe

"C:\Program Files (x86)\Windows Defender\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81ce3b56-c439-40a9-b2e4-c039547d6ac8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\621eaf17-544c-41c2-833b-ffcff2aefa6b.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ct54429.tw1.ru udp
RU 185.114.247.170:80 ct54429.tw1.ru tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 170.247.114.185.in-addr.arpa udp
RU 185.114.247.170:80 ct54429.tw1.ru tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\componentCommon\TsZJDcKjHujznUYiyXhQefVwV2.vbe

MD5 e986ea5d4cac976a6de65d3f1ef8b332
SHA1 6465da0abcfac05b8ed1f32b9cca57e2e2f54aea
SHA256 3ad8783bacfea22158df341d1bbedf8f6f0dcc4d9504555b36a756d2fcd83831
SHA512 896934c1a2941a8edfd38b03a858fc589cfb6622ae75019a542638be0c9c4e436aacd0916196dd71442d1a90404afa29d2864c92401222ff5ec2a712d873fa11

C:\componentCommon\j1nvYpGjbyEFrc.bat

MD5 a0b9b0891c2cae67cd1beae705d09d4f
SHA1 997953188d6226de19faa0ab4e8fdbddf1fb5617
SHA256 13593fab7a2113730fdbe4cbf436dde9a26116cda0bd4a33dff27d5678e9f9fc
SHA512 bdcd0c6a765c3927180706f7b30f2ea0f7cab6f27e512433839ebe3f6cb148923a6733ae954c24fa6eedeca97b8dc01cae945eea07e1121ff74885a69b34f2bb

C:\componentCommon\ComInto.exe

MD5 9a0cee5a5ce317b7a70f88bb6aaa49e1
SHA1 95a779063656075a8ddc2f2164393fa59e3c93d9
SHA256 701924dd5d93b99a1e90fcd92f399c4453455e78375125f7a06aca20b84956bc
SHA512 d9c6240b6809c3decbdf4d97aca246f308670097b704b47449c53d8dc121f391d3ec6596f7947c36a01a388eeefe6f9ac9785698cf743f8a89c7cbf7b9da41a4

memory/3972-12-0x00007FFD754D3000-0x00007FFD754D5000-memory.dmp

memory/3972-13-0x0000000000BA0000-0x0000000000D4C000-memory.dmp

memory/3972-14-0x0000000002F60000-0x0000000002F6E000-memory.dmp

memory/3972-15-0x000000001B860000-0x000000001B87C000-memory.dmp

memory/3972-16-0x000000001B8D0000-0x000000001B920000-memory.dmp

memory/3972-17-0x0000000002F70000-0x0000000002F78000-memory.dmp

memory/3972-19-0x000000001B8A0000-0x000000001B8A8000-memory.dmp

memory/3972-20-0x000000001C140000-0x000000001C150000-memory.dmp

memory/3972-18-0x000000001B880000-0x000000001B896000-memory.dmp

memory/3972-21-0x000000001B8B0000-0x000000001B8B8000-memory.dmp

memory/3972-22-0x000000001B8C0000-0x000000001B8D2000-memory.dmp

memory/3972-23-0x000000001C680000-0x000000001CBA8000-memory.dmp

memory/3972-24-0x000000001C060000-0x000000001C06C000-memory.dmp

memory/3972-25-0x000000001C070000-0x000000001C078000-memory.dmp

memory/3972-26-0x000000001C080000-0x000000001C08A000-memory.dmp

memory/3972-28-0x000000001C0A0000-0x000000001C0AC000-memory.dmp

memory/3972-27-0x000000001C090000-0x000000001C09E000-memory.dmp

memory/3972-29-0x000000001C0B0000-0x000000001C0BC000-memory.dmp

memory/2800-79-0x0000000003090000-0x00000000030A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\81ce3b56-c439-40a9-b2e4-c039547d6ac8.vbs

MD5 aaeddf27e7fb662184f1a594b1fb0420
SHA1 72433379c9e2d42e92f7d2422f43b837628fe22b
SHA256 bd82f6ab6d924fe115457226d518a3d471b332a57f59880e498b578a1c6b22ce
SHA512 7fbabffbfbf2b786f7289daee17fb57dd8d0000322e281f046023c665481f3c71762595e49d04f628d6b12e0527b51bab370d1a6c9b8fd553b1924c0a3746ac7

C:\Users\Admin\AppData\Local\Temp\621eaf17-544c-41c2-833b-ffcff2aefa6b.vbs

MD5 40a4581b40e538be706ff140ced2849f
SHA1 000c20d3dd5a37e2105472a815e3c0e1dc57cfe8
SHA256 cf0416e18b02570e67bd846b3c94c480df5f592023a1610e34c465800b4edfa0
SHA512 687f5af2a193ebb26ba35c6e588df0beb909c2cb305fa6c48d552dd72ba93d2af65adaeff5599b19e6d2adcb4f274e24cd35f39ca9ec5efec355ff7c73ce3804