Malware Analysis Report

2025-08-06 01:47

Sample ID 241031-dswssayerl
Target 545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N
SHA256 545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008
Tags
dcrat infostealer persistence rat discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008

Threat Level: Known bad

The file 545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer persistence rat discovery

Process spawned unexpected child process

Dcrat family

DcRat

Modifies WinLogon for persistence

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 03:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 03:16

Reported

2024-10-31 03:19

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\services.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\", \"C:\\Users\\All Users\\SoftwareDistribution\\OfficeClickToRun.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\services.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\", \"C:\\Users\\All Users\\SoftwareDistribution\\OfficeClickToRun.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\services.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\", \"C:\\Users\\All Users\\SoftwareDistribution\\OfficeClickToRun.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\services.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\services.exe\", \"C:\\Program Files\\7-Zip\\wininit.exe\", \"C:\\Users\\All Users\\SoftwareDistribution\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\7-Zip\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\All Users\\SoftwareDistribution\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\ssh\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\7-Zip\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\All Users\\SoftwareDistribution\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Common Files\\DESIGNER\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Common Files\\DESIGNER\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\ssh\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC963D989D1CEA4D71909F722FCC39A96F.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\lhkpi-.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\DESIGNER\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
File created C:\Program Files\Common Files\DESIGNER\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
File created C:\Program Files\7-Zip\wininit.exe C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
File created C:\Program Files\7-Zip\56085415360792 C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5096 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 5096 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 5032 wrote to memory of 2280 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 5032 wrote to memory of 2280 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 5096 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\System32\cmd.exe
PID 5096 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\System32\cmd.exe
PID 3064 wrote to memory of 3988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3064 wrote to memory of 3988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3064 wrote to memory of 5028 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3064 wrote to memory of 5028 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3064 wrote to memory of 864 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe
PID 3064 wrote to memory of 864 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

"C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\ssh\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\ssh\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\ssh\services.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bmmatddt\bmmatddt.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC479.tmp" "c:\Windows\System32\CSC963D989D1CEA4D71909F722FCC39A96F.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\SoftwareDistribution\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\SoftwareDistribution\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\DESIGNER\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\DESIGNER\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ijqDdIQKja.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

"C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 077207cm.nyafka.top udp
FR 37.44.238.250:80 077207cm.nyafka.top tcp
US 8.8.8.8:53 250.238.44.37.in-addr.arpa udp
FR 37.44.238.250:80 077207cm.nyafka.top tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/5096-0-0x00007FFBAC563000-0x00007FFBAC565000-memory.dmp

memory/5096-1-0x00000000000C0000-0x000000000029A000-memory.dmp

memory/5096-2-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

memory/5096-3-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

memory/5096-4-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

memory/5096-5-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

memory/5096-7-0x0000000002350000-0x000000000235E000-memory.dmp

memory/5096-8-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

memory/5096-10-0x000000001AFD0000-0x000000001AFEC000-memory.dmp

memory/5096-11-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

memory/5096-12-0x000000001B280000-0x000000001B2D0000-memory.dmp

memory/5096-17-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

memory/5096-16-0x0000000002360000-0x000000000236C000-memory.dmp

memory/5096-14-0x000000001AFF0000-0x000000001B008000-memory.dmp

memory/5096-21-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

C:\ProgramData\ssh\services.exe

MD5 cdfe4113f2d0e3d04921aaf02a61f4c0
SHA1 f6677353b59a891a2fe06dc2971ec383154c3094
SHA256 545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008
SHA512 6892293e3a3856fd10161970e1ff149ea320bc6fc1e57c7d636d7dde25b82a9715344a5638f5d55ed4b0224cbe7af2fc8a55e6367ad3f1d5272104c7777f5404

memory/5096-33-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\bmmatddt\bmmatddt.cmdline

MD5 e82cf091b69da16c7f223b22435adc78
SHA1 236de8b12ba382b802fb050b4536946ca36f5fb7
SHA256 e8cb4b3c9d301fa5f8272eba9ab654cdff889851c9497ff407ff79546b1b25ae
SHA512 e23f8e8b87c75dacc056b2e5a3d09e586ee77f9e1953b870a5994a64e072085198931defa77dadff8093584675d5788f0581f5da2bb255eadd8bf87525cbc622

\??\c:\Users\Admin\AppData\Local\Temp\bmmatddt\bmmatddt.0.cs

MD5 896616c530d1aadd78f44e00ead0fef1
SHA1 df70083d3aa01265d882fc186e094d2b3bdc8662
SHA256 bd1f83d51250d4fe7bed55dbd2febfd69e80e89e1fa1d2cad32f0bb6251f25f0
SHA512 e311c0a9278f28f49fa7dfee79009edf9997657571d720e2205659159e800e3bc778a25cf47cd740493cf85882850b6f34efa62f17e65faf26a83ca01dc82605

\??\c:\Windows\System32\CSC963D989D1CEA4D71909F722FCC39A96F.TMP

MD5 75e32610d8ef6143201c7c28465fcda9
SHA1 b2bae99fade2dda07aecbe1659d184be0fc4e7a6
SHA256 97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b
SHA512 b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

C:\Users\Admin\AppData\Local\Temp\RESC479.tmp

MD5 903f39866093d83f93dbf1264f9fb613
SHA1 7c88447649be2bc952db89e737baf681d023ac68
SHA256 2659753d2a3bbc5a08dfff89864e3b13fed1dbf3772fde4ad5e720d48a48a490
SHA512 9cb2d2e980d85ddd969a63eed9a82a5087451345c0b02025b989cdc517268cee536ac58df39b407b42c939c1d5f440649f155974c7f8aa50e7156c3d0750fe11

memory/5096-48-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ijqDdIQKja.bat

MD5 2fc387bf73f5097b937d1683957f4fb1
SHA1 a0fdeb38956fb1a658ec5ffd8b0ca2752381a9e3
SHA256 cdf53857156b7feaf8ea278662f3f982f29cd2393cab10973b88703e2d777642
SHA512 006202d0e5493720aa971d3f61b0e53db900915ef77d3dcae7168dcd0677ed22cde3c5014991f547f1875312185520b1deadf73c1ef9736ba410e5832f1f307d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe.log

MD5 af6acd95d59de87c04642509c30e81c1
SHA1 f9549ae93fdb0a5861a79a08f60aa81c4b32377b
SHA256 7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6
SHA512 93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 03:16

Reported

2024-10-31 03:19

Platform

win7-20240903-en

Max time kernel

137s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\en-US\audiodg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Program Files\\Windows Journal\\es-ES\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\WMIADAP.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Program Files\\Windows Journal\\es-ES\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Internet Explorer\\SIGNUP\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC2A14E9631414C88949919400183BB3.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\3kmwe8.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\SIGNUP\explorer.exe C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
File created C:\Program Files\Windows Journal\es-ES\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
File created C:\Program Files\Windows Journal\es-ES\a35db18858f64a C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
File created C:\Program Files\Windows Defender\en-US\audiodg.exe C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
File created C:\Program Files\Windows Defender\en-US\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
N/A N/A C:\Program Files\Windows Defender\en-US\audiodg.exe N/A
N/A N/A C:\Program Files\Windows Defender\en-US\audiodg.exe N/A
N/A N/A C:\Program Files\Windows Defender\en-US\audiodg.exe N/A
N/A N/A C:\Program Files\Windows Defender\en-US\audiodg.exe N/A
N/A N/A C:\Program Files\Windows Defender\en-US\audiodg.exe N/A
N/A N/A C:\Program Files\Windows Defender\en-US\audiodg.exe N/A
N/A N/A C:\Program Files\Windows Defender\en-US\audiodg.exe N/A
N/A N/A C:\Program Files\Windows Defender\en-US\audiodg.exe N/A
N/A N/A C:\Program Files\Windows Defender\en-US\audiodg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\en-US\audiodg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Defender\en-US\audiodg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2380 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2380 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2848 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2848 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2848 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2380 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\System32\cmd.exe
PID 2380 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\System32\cmd.exe
PID 2380 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe C:\Windows\System32\cmd.exe
PID 2192 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2192 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2192 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2192 wrote to memory of 1892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2192 wrote to memory of 1892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2192 wrote to memory of 1892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2192 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Defender\en-US\audiodg.exe
PID 2192 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Defender\en-US\audiodg.exe
PID 2192 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Defender\en-US\audiodg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe

"C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\SIGNUP\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\SIGNUP\explorer.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nveu30fn\nveu30fn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCE7.tmp" "c:\Windows\System32\CSC2A14E9631414C88949919400183BB3.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\en-US\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\en-US\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\es-ES\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\es-ES\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N5" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008N.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iAXkGkYzAg.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files\Windows Defender\en-US\audiodg.exe

"C:\Program Files\Windows Defender\en-US\audiodg.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 077207cm.nyafka.top udp
FR 37.44.238.250:80 077207cm.nyafka.top tcp
FR 37.44.238.250:80 077207cm.nyafka.top tcp

Files

memory/2380-0-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp

memory/2380-1-0x0000000001120000-0x00000000012FA000-memory.dmp

memory/2380-2-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

memory/2380-3-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

memory/2380-4-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

memory/2380-6-0x0000000000380000-0x000000000038E000-memory.dmp

memory/2380-8-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

memory/2380-9-0x0000000000430000-0x000000000044C000-memory.dmp

memory/2380-10-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

memory/2380-12-0x0000000000450000-0x0000000000468000-memory.dmp

memory/2380-16-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

memory/2380-17-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

memory/2380-15-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

memory/2380-14-0x0000000000390000-0x000000000039C000-memory.dmp

C:\Program Files\Internet Explorer\SIGNUP\explorer.exe

MD5 cdfe4113f2d0e3d04921aaf02a61f4c0
SHA1 f6677353b59a891a2fe06dc2971ec383154c3094
SHA256 545ec0cff0698c5502aa7a7727d67c8de1546f2435f94e4a845d4d65dbfb1008
SHA512 6892293e3a3856fd10161970e1ff149ea320bc6fc1e57c7d636d7dde25b82a9715344a5638f5d55ed4b0224cbe7af2fc8a55e6367ad3f1d5272104c7777f5404

\??\c:\Users\Admin\AppData\Local\Temp\nveu30fn\nveu30fn.cmdline

MD5 93a366644594df4e133c7de6da8fc0f0
SHA1 fcdabedf66561214b24054797bf258cf30fae486
SHA256 dba309a2c204c4ef041302bebf0c764d26f7a2b8046186c0211dbdc8b65dc7f0
SHA512 d0835812b25561c8ccd8b172a88609e7a5d0ea644616ec5c66b43c7be083dd3c05769c12d917aa525c28ed606bc03b718586ab40cd85814e200ceeb154454f90

\??\c:\Users\Admin\AppData\Local\Temp\nveu30fn\nveu30fn.0.cs

MD5 a0f75b34f35fd726d6e164c7cafc4710
SHA1 a71a01a95f0d8c748b25c07e4d786ef6b78118ff
SHA256 3964027e3afff4ca53f9be45fd54e88a2294fa5c1849db5561f1af959ce2cbf1
SHA512 8d522b6c1d395f10b47082dcadaeb83c58e437d6cc0fbd3f6d88624176356d8840f82ee969d75a6434bab476c14ad7a7c83ad354751f80d9005eec306c40e41e

\??\c:\Windows\System32\CSC2A14E9631414C88949919400183BB3.TMP

MD5 8c85ef91c6071d33745325a8fa351c3e
SHA1 e3311ceef28823eec99699cc35be27c94eca52d2
SHA256 8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41
SHA512 2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

C:\Users\Admin\AppData\Local\Temp\RESDCE7.tmp

MD5 9096c5375bea8d98e3191b7a1afe0c5a
SHA1 7d7d03e9a63f18fc2e85710c5f7d66d4fb34711c
SHA256 2d4b17488479018550549d0c21eb14b385b4d1826276d9ecb5634f63ef979907
SHA512 d77285815698fe8ec972c1c1213da67b8638911e9895b17d640df56b04cecc9c9c5b81a6a9127dd30ec1e17ff828911c5b367499b95f3ee81df1eb97ff9a1571

C:\Users\Admin\AppData\Local\Temp\iAXkGkYzAg.bat

MD5 b30ac6eb3909ee869d56b033b5a0bb3a
SHA1 7678f96cc8620da0631f845faff4b535e56bebdb
SHA256 9d1642bd73fcb4a3685e210f63ede69e2097246a5b5ebd8422ab2fd62c78750b
SHA512 35ca3616104111865fa776709e90b9367f4adf67ee553324284aca8be7792749273ab5f7b55ae2584d1b31e33e86b959612be35f5de719ea74ffbcd34c4508b3

memory/2380-46-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

memory/1512-49-0x00000000009A0000-0x0000000000B7A000-memory.dmp