Malware Analysis Report

2025-08-06 01:47

Sample ID 241031-dqy55axkas
Target 545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N
SHA256 545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008
Tags
dcrat infostealer persistence rat discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008

Threat Level: Known bad

The file 545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer persistence rat discovery

DcRat

Modifies WinLogon for persistence

Dcrat family

Process spawned unexpected child process

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 03:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 03:13

Reported

2024-10-31 03:15

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Nature\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\sppsvc.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Nature\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default User\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Web\\Wallpaper\\Nature\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default User\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1f5748e2-69f6-11ef-b486-62cb582c238c\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Web\\Wallpaper\\Nature\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSCD7E8F2E947BD4BFAB26E29DCBB27592.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\1woi1z.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Web\Wallpaper\Nature\lsm.exe C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Nature\lsm.exe C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
File created C:\Windows\Web\Wallpaper\Nature\101b941d020240 C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe N/A
N/A N/A C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2408 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2408 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2400 wrote to memory of 2388 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2400 wrote to memory of 2388 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2400 wrote to memory of 2388 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2408 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\System32\cmd.exe
PID 2408 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\System32\cmd.exe
PID 2408 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\System32\cmd.exe
PID 2216 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2216 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2216 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2216 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2216 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2216 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2216 wrote to memory of 776 N/A C:\Windows\System32\cmd.exe C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
PID 2216 wrote to memory of 776 N/A C:\Windows\System32\cmd.exe C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
PID 2216 wrote to memory of 776 N/A C:\Windows\System32\cmd.exe C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

"C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3n0rnbt1\3n0rnbt1.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9BA.tmp" "c:\Windows\System32\CSCD7E8F2E947BD4BFAB26E29DCBB27592.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Nature\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Nature\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Nature\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\psS3BOCiYp.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe

"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 077207cm.nyafka.top udp
FR 37.44.238.250:80 077207cm.nyafka.top tcp
FR 37.44.238.250:80 077207cm.nyafka.top tcp

Files

memory/2408-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

memory/2408-1-0x0000000000020000-0x00000000001FA000-memory.dmp

memory/2408-2-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

memory/2408-3-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

memory/2408-4-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

memory/2408-6-0x00000000003F0000-0x00000000003FE000-memory.dmp

memory/2408-7-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

memory/2408-9-0x00000000007B0000-0x00000000007CC000-memory.dmp

memory/2408-14-0x0000000000680000-0x000000000068C000-memory.dmp

memory/2408-12-0x0000000002280000-0x0000000002298000-memory.dmp

memory/2408-10-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

memory/2408-15-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

C:\Users\Default\taskhost.exe

MD5 cdfe4113f2d0e3d04921aaf02a61f4c0
SHA1 f6677353b59a891a2fe06dc2971ec383154c3094
SHA256 545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008
SHA512 6892293e3a3856fd10161970e1ff149ea320bc6fc1e57c7d636d7dde25b82a9715344a5638f5d55ed4b0224cbe7af2fc8a55e6367ad3f1d5272104c7777f5404

memory/2408-27-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

memory/2408-28-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\3n0rnbt1\3n0rnbt1.cmdline

MD5 1988a362a1a22a1e53512247dc722ae7
SHA1 5a5860c1bfe509a2028a913444e62f40c5e3bf05
SHA256 7847b940636dc79d48d332bb31d13209f32c95081601de6085f41c25761e664a
SHA512 7ef9093969749cdfa8c99d66b137c023b967ee694c921d320c8cf0c0b9c62e8629f076c552f85170121786e00134b6a11288bfe560b000c433a64ab01823a580

\??\c:\Users\Admin\AppData\Local\Temp\3n0rnbt1\3n0rnbt1.0.cs

MD5 1d066a5ed25e3789feb3b821d3015a0d
SHA1 8506c9a524f9572a619af060d3c6030c7a95880d
SHA256 cf60d6ecd64084fb287b57e91af57510eb84d5f9211395625e2d48fb2506a994
SHA512 4567aec0d9c290a1d823c42efff6329c3f86cfa82359acad6585dcfa8b0ca98bda586f6f3159d81cfb3c4b28532018a5887267339f8c8b1a892dfacc4097daf5

\??\c:\Windows\System32\CSCD7E8F2E947BD4BFAB26E29DCBB27592.TMP

MD5 dcd286f3a69cfd0292a8edbc946f8553
SHA1 4d347ac1e8c1d75fc139878f5646d3a0b083ef17
SHA256 29e03364271673f4b388131b7773d016df859bb0b1c5e6c3ad6914a632600596
SHA512 4b9546033bd4957263854fbb0a87aa1d57ce3afbce7bf03b12b05b78f97c5a27c52c1d73e34b6a5ba2c395e26ec9c474a32609441b99cf78ea707113fca96f77

C:\Users\Admin\AppData\Local\Temp\RESF9BA.tmp

MD5 5cd5addd58c84380cd831ac43a082349
SHA1 b2ca6cf0e6c029f89dcbb4732a8b4e42afc34d6b
SHA256 cc62b50859e01132372b50efb93e35954acf0639b3002cd1b6f1d4f6de0bfa5d
SHA512 0e487d2a9889adb96ef75fe09106c466af19a462ea76e7dabc68cabea0c07a296ecaa8939e311ac5232733f7966a2fd8fe97a06e783fd07bf8e4f438a40fff69

memory/2408-45-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\psS3BOCiYp.bat

MD5 8e63413bd65c2eabc8c3a5f930606918
SHA1 5ae44a0e8902555c41909afa287ab37b86938c5e
SHA256 13a4d75d6aed8e7fa059ee4a085c30ab3c019ca87b94b8d4912a3906b53c48c8
SHA512 2c76c1375b81ec1ff51cceb08fe3928f7e925ee27612c319f9fd058838ff6852b59e365bdbd22c447ef38f9b25ea182021039e84446e966b96772d46c3d78823

memory/776-49-0x0000000000BB0000-0x0000000000D8A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 03:13

Reported

2024-10-31 03:15

Platform

win10v2004-20241007-en

Max time kernel

114s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SoftwareDistribution\\SLS\\9482F4B4-E343-43B6-B170-9A65BC822C77\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SoftwareDistribution\\SLS\\9482F4B4-E343-43B6-B170-9A65BC822C77\\Registry.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SoftwareDistribution\\SLS\\9482F4B4-E343-43B6-B170-9A65BC822C77\\Registry.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\SppExtComObj.exe\", \"C:\\Users\\Admin\\NetHood\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SoftwareDistribution\\SLS\\9482F4B4-E343-43B6-B170-9A65BC822C77\\Registry.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\SppExtComObj.exe\", \"C:\\Users\\Admin\\NetHood\\taskhostw.exe\", \"C:\\Users\\Admin\\Recent\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SoftwareDistribution\\SLS\\9482F4B4-E343-43B6-B170-9A65BC822C77\\Registry.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\SppExtComObj.exe\", \"C:\\Users\\Admin\\NetHood\\taskhostw.exe\", \"C:\\Users\\Admin\\Recent\\backgroundTaskHost.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SoftwareDistribution\\SLS\\9482F4B4-E343-43B6-B170-9A65BC822C77\\Registry.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\SppExtComObj.exe\", \"C:\\Users\\Admin\\NetHood\\taskhostw.exe\", \"C:\\Users\\Admin\\Recent\\backgroundTaskHost.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Recent\backgroundTaskHost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\SoftwareDistribution\\SLS\\9482F4B4-E343-43B6-B170-9A65BC822C77\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Admin\\Recent\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\SoftwareDistribution\\SLS\\9482F4B4-E343-43B6-B170-9A65BC822C77\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Admin\\NetHood\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Admin\\NetHood\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Admin\\Recent\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSCA72222686E6A4F5BAE366EF3DDDB527.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\-63gkj.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\winlogon.exe C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\winlogon.exe C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
File created C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\Registry.exe C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Recent\backgroundTaskHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1144 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4740 wrote to memory of 1192 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4740 wrote to memory of 1192 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1144 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\System32\cmd.exe
PID 1144 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\System32\cmd.exe
PID 1848 wrote to memory of 4296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1848 wrote to memory of 4296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1848 wrote to memory of 5008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1848 wrote to memory of 5008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1848 wrote to memory of 4012 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Recent\backgroundTaskHost.exe
PID 1848 wrote to memory of 4012 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Recent\backgroundTaskHost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

"C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\Registry.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4t5ecc5p\4t5ecc5p.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES737A.tmp" "c:\Windows\System32\CSCA72222686E6A4F5BAE366EF3DDDB527.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\NetHood\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\NetHood\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Recent\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\Recent\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Recent\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\PackageManifests\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\PackageManifests\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g5S83u7t2J.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Recent\backgroundTaskHost.exe

"C:\Users\Admin\Recent\backgroundTaskHost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 077207cm.nyafka.top udp
FR 37.44.238.250:80 077207cm.nyafka.top tcp
FR 37.44.238.250:80 077207cm.nyafka.top tcp
US 8.8.8.8:53 250.238.44.37.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1144-0-0x00007FF989B43000-0x00007FF989B45000-memory.dmp

memory/1144-1-0x0000000000710000-0x00000000008EA000-memory.dmp

memory/1144-2-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

memory/1144-3-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

memory/1144-4-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

memory/1144-6-0x0000000001220000-0x000000000122E000-memory.dmp

memory/1144-7-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

memory/1144-9-0x0000000001290000-0x00000000012AC000-memory.dmp

memory/1144-10-0x000000001B900000-0x000000001B950000-memory.dmp

memory/1144-12-0x00000000012B0000-0x00000000012C8000-memory.dmp

memory/1144-15-0x0000000001270000-0x000000000127C000-memory.dmp

memory/1144-13-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

memory/1144-16-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

memory/1144-22-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\Registry.exe

MD5 cdfe4113f2d0e3d04921aaf02a61f4c0
SHA1 f6677353b59a891a2fe06dc2971ec383154c3094
SHA256 545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008
SHA512 6892293e3a3856fd10161970e1ff149ea320bc6fc1e57c7d636d7dde25b82a9715344a5638f5d55ed4b0224cbe7af2fc8a55e6367ad3f1d5272104c7777f5404

memory/1144-29-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

memory/1144-33-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4t5ecc5p\4t5ecc5p.0.cs

MD5 78c37edc30a65bf3d92993eb6bb5bf01
SHA1 9f00622c18e742416437340093724a394d29c129
SHA256 82dd94a8af55ea315f0a31862cf5cd792c06c082ef6bc702fa1c303b84fcb01d
SHA512 d73932dde6d9dc1cc28d5c82e65bacb012c8aa794de5812bd1120099e950758132c75b2a8890279f7b375cf7b3bef3eb068ef470ddc6245d9c94b7d55efef72e

\??\c:\Users\Admin\AppData\Local\Temp\4t5ecc5p\4t5ecc5p.cmdline

MD5 8a97944b590d895a4b37e88bd5d9a135
SHA1 9e3fdcbcaf75a053b074ca76146e6a460b3428ce
SHA256 89f177483fd805a90d77a5a17a35a19cf6b3e6a7cc952e522d3b5d04b7e7b987
SHA512 dca4ff159f40bcd025820f0374baee0da0c4efe4127ee79eb13d7bf3646948aa831b704c37a31a919609d67e0e12eef58a46b2f2add50b7e7fc282f7f779c4a7

memory/1144-36-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

\??\c:\Windows\System32\CSCA72222686E6A4F5BAE366EF3DDDB527.TMP

MD5 82a7b8ef3bc275711e3b27c6df93c7ff
SHA1 bdac909f26475c94c74145576bcf22adb0f8203c
SHA256 582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124
SHA512 f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248

C:\Users\Admin\AppData\Local\Temp\RES737A.tmp

MD5 bff7a91937fd2a77f60b5a1eb24d6b76
SHA1 a985f6aca0fefb70ee9a4f279f7b0b9cee9aadd5
SHA256 0e6266073e401aca0ab2ec4613a61cfc5f95c74bd920794ae4e6f353a6c6afc3
SHA512 dadf3e50669ac1d3106355d37750331654c040c8269041ea4932e44066be1217c0ee7abd0679bb14849d94bb8fd29b6c81bdbcea6050ba319aa8c45d8bc3527a

memory/1144-49-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\g5S83u7t2J.bat

MD5 7d289f2237267569bcb05f647d9eee41
SHA1 d21f497a223b7d0968e5ff32493adad551dcbab3
SHA256 6070ceca7f136b09cde917638638384bb4a0e01e57a42c98389316485a8505a3
SHA512 798c0cd4a68db71dbbae9422f9abe4d1b5f179e186101f6b34093901ac740f535a4e181c9bef16f0cd8e2dbfe52e1a8e31c108de55b4bb9b9264353c4f105e0f

memory/4012-58-0x00000000029B0000-0x00000000029B8000-memory.dmp