Malware Analysis Report

2025-06-16 06:57

Sample ID 241104-dzmhpasemd
Target b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84
SHA256 b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84

Threat Level: Known bad

The file b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84 was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

Dcrat family

DcRat

DCRat payload

Process spawned unexpected child process

UAC bypass

DCRat payload

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Uses Task Scheduler COM API

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 03:26

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 03:26

Reported

2024-11-04 03:29

Platform

win7-20240708-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Windows\System32\LogFiles\AIT\1610b97d3ab4a7 C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\101b941d020240 C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\LogFiles\AIT\RCX5114.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Windows\System32\LogFiles\AIT\1610b97d3ab4a7 C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Windows\System32\LogFiles\AIT\RCX5096.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\101b941d020240 C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files\Internet Explorer\es-ES\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files\Windows Portable Devices\lsass.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files\Windows Portable Devices\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX4E05.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\lsass.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files\Internet Explorer\es-ES\explorer.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\101b941d020240 C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX4E15.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files\Internet Explorer\es-ES\explorer.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\1036\explorer.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\audiodg.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\audiodg.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\RCX4BE1.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\RCX4BE2.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Windows\Microsoft.NET\Framework\1036\explorer.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Windows\Microsoft.NET\Framework\1036\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe C:\Windows\System32\cmd.exe
PID 3020 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe C:\Windows\System32\cmd.exe
PID 3020 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe C:\Windows\System32\cmd.exe
PID 2112 wrote to memory of 1200 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2112 wrote to memory of 1200 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2112 wrote to memory of 1200 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2112 wrote to memory of 1296 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
PID 2112 wrote to memory of 1296 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
PID 2112 wrote to memory of 1296 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe
PID 1296 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe C:\Windows\System32\cmd.exe
PID 1296 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe C:\Windows\System32\cmd.exe
PID 1296 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe C:\Windows\System32\cmd.exe
PID 2172 wrote to memory of 1332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2172 wrote to memory of 1332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2172 wrote to memory of 1332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2172 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe
PID 2172 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe
PID 2172 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe

"C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xYfwFNBoa.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe

"C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84b" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84b" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\Framework\1036\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\1036\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\Framework\1036\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tNEyebdJS9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bebragrad122.myartsonline.com udp
BG 185.176.43.98:80 bebragrad122.myartsonline.com tcp

Files

memory/3020-0-0x000007FEF4C83000-0x000007FEF4C84000-memory.dmp

memory/3020-1-0x00000000008A0000-0x0000000000B64000-memory.dmp

memory/3020-2-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

memory/3020-3-0x0000000000880000-0x000000000088E000-memory.dmp

memory/3020-4-0x0000000002160000-0x000000000217C000-memory.dmp

memory/3020-5-0x0000000000890000-0x0000000000898000-memory.dmp

memory/3020-6-0x0000000002180000-0x0000000002190000-memory.dmp

memory/3020-7-0x0000000002300000-0x0000000002316000-memory.dmp

memory/3020-9-0x000000001A8C0000-0x000000001A8CA000-memory.dmp

memory/3020-8-0x0000000002190000-0x0000000002198000-memory.dmp

memory/3020-10-0x000000001ADD0000-0x000000001AE26000-memory.dmp

memory/3020-11-0x000000001A8B0000-0x000000001A8B8000-memory.dmp

memory/3020-12-0x000000001A8D0000-0x000000001A8E2000-memory.dmp

memory/3020-13-0x000000001AE20000-0x000000001AE2C000-memory.dmp

memory/3020-14-0x000000001AE30000-0x000000001AE38000-memory.dmp

memory/3020-15-0x000000001AE40000-0x000000001AE4E000-memory.dmp

memory/3020-16-0x000000001AE50000-0x000000001AE5E000-memory.dmp

memory/3020-17-0x000000001AE60000-0x000000001AE6C000-memory.dmp

memory/3020-18-0x000000001AE70000-0x000000001AE7A000-memory.dmp

memory/3020-19-0x000000001AE80000-0x000000001AE8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RCX49BE.tmp

MD5 93b41bde029ee047568eaf23be8cf599
SHA1 50ce44062008f18a3127522e5fa94d373c97ca8f
SHA256 b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84
SHA512 8744ac0e952e5e1d9f40dc89a9131353c475d8eeb309d34e68209e985e16fff80e1df3a16282ad48e95e3f27380e6b47e89d2e6df1ac5b652ab8a4b5b85eecf3

C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe

MD5 3b8de76fe3217e9df1cb37fdc3115d85
SHA1 530450cfa8e72cd114a30d97cfd32162266d761b
SHA256 aad5921a941a3ae1c4f965f3ad6b021a5fb7f6c902744005b6bf7d35440c65bc
SHA512 902cec748d1ccc2893d7bb90b24c841b0a0fc1c35c684c87a369d720ff44f149291762ab53d6aa37a10d9376b6304929560f0281246cc947eccf92c22539c9b9

C:\Users\Admin\AppData\Local\Temp\6xYfwFNBoa.bat

MD5 68f30288679b162d6f1fbf8f033d593b
SHA1 23ba513d61c38579f1dd768fa18e49ce413ba6b5
SHA256 60ab5211f289c610a7663ff883418f7c8d2837afef7e92ce94648f06db646f1c
SHA512 bfb92c929595f10a1364553d091b61c6f75e75b86b038d13fa39a7324b3348e528759eda95a74b77f04db1d0ff6f4513d77088c5539d40d73c017b90d436098c

memory/3020-71-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

memory/1296-73-0x0000000000040000-0x0000000000304000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tNEyebdJS9.bat

MD5 4f2c6debe66cbff203af6439a4f77ee5
SHA1 be7c47b7e768cbaafb20fad97359567d743d7d2c
SHA256 3c97098d3e3b5687bd7361ed3e5ea42f4ed79bcb7533b0319081c89d963233fc
SHA512 09ab37b1fa13345e126d95a2c88827cd6e0f7e99dfec60a8aac6720346b733bbfb1562744c5f8cb241c7504d4541187d8e90c60978a06484ecdd959af3a78e42

memory/2092-129-0x0000000000120000-0x00000000003E4000-memory.dmp

memory/2092-130-0x00000000007B0000-0x00000000007C2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 03:26

Reported

2024-11-04 03:29

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\TAPI\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\TAPI\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\TAPI\smss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\TAPI\smss.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\TAPI\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\TAPI\smss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files (x86)\Microsoft\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\RCXB2E9.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files\Common Files\System\RCXBC29.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\RCXC4FA.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\RCXC4FB.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files (x86)\Microsoft\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXB50E.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files\Common Files\System\dllhost.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files\Common Files\System\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\RCXB2F9.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\sysmon.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files\Common Files\System\RCXBB9B.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\sysmon.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Program Files\Common Files\System\dllhost.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXB51E.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\TAPI\smss.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Windows\Speech\Engines\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Windows\TAPI\RCXB967.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Windows\Help\en-US\RCXC044.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Windows\Help\en-US\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Windows\Speech\Engines\RCXC258.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Windows\Speech\Engines\RCXC269.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Windows\TAPI\smss.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Windows\TAPI\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Windows\Help\en-US\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Windows\Help\en-US\RCXC043.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Windows\Help\en-US\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File created C:\Windows\Speech\Engines\Registry.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Windows\TAPI\RCXB978.tmp C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
File opened for modification C:\Windows\Speech\Engines\Registry.exe C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
N/A N/A C:\Windows\TAPI\smss.exe N/A
N/A N/A C:\Windows\TAPI\smss.exe N/A
N/A N/A C:\Windows\TAPI\smss.exe N/A
N/A N/A C:\Windows\TAPI\smss.exe N/A
N/A N/A C:\Windows\TAPI\smss.exe N/A
N/A N/A C:\Windows\TAPI\smss.exe N/A
N/A N/A C:\Windows\TAPI\smss.exe N/A
N/A N/A C:\Windows\TAPI\smss.exe N/A
N/A N/A C:\Windows\TAPI\smss.exe N/A
N/A N/A C:\Windows\TAPI\smss.exe N/A
N/A N/A C:\Windows\TAPI\smss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\TAPI\smss.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\TAPI\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\TAPI\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\TAPI\smss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe

"C:\Users\Admin\AppData\Local\Temp\b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\System\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\System\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Documents\My Videos\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Documents\My Videos\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\en-US\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Help\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech\Engines\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\Engines\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2HVdYORdue.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\TAPI\smss.exe

"C:\Windows\TAPI\smss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 bebragrad122.myartsonline.com udp
BG 185.176.43.98:80 bebragrad122.myartsonline.com tcp
US 8.8.8.8:53 98.43.176.185.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/436-0-0x00007FFB89CE3000-0x00007FFB89CE5000-memory.dmp

memory/436-1-0x0000000000C80000-0x0000000000F44000-memory.dmp

memory/436-2-0x00007FFB89CE0000-0x00007FFB8A7A1000-memory.dmp

memory/436-3-0x0000000001810000-0x000000000181E000-memory.dmp

memory/436-4-0x0000000003080000-0x000000000309C000-memory.dmp

memory/436-5-0x000000001C210000-0x000000001C260000-memory.dmp

memory/436-7-0x00000000030A0000-0x00000000030B0000-memory.dmp

memory/436-6-0x0000000001820000-0x0000000001828000-memory.dmp

memory/436-8-0x00000000031C0000-0x00000000031D6000-memory.dmp

memory/436-9-0x00000000031E0000-0x00000000031E8000-memory.dmp

memory/436-10-0x0000000003210000-0x000000000321A000-memory.dmp

memory/436-11-0x000000001C260000-0x000000001C2B6000-memory.dmp

memory/436-12-0x00000000031F0000-0x00000000031F8000-memory.dmp

memory/436-13-0x0000000003200000-0x0000000003212000-memory.dmp

memory/436-14-0x000000001C800000-0x000000001CD28000-memory.dmp

memory/436-15-0x000000001C2D0000-0x000000001C2DC000-memory.dmp

memory/436-16-0x000000001C550000-0x000000001C558000-memory.dmp

memory/436-17-0x000000001C3E0000-0x000000001C3EE000-memory.dmp

memory/436-18-0x000000001C3F0000-0x000000001C3FE000-memory.dmp

memory/436-19-0x000000001C400000-0x000000001C40C000-memory.dmp

memory/436-20-0x000000001C510000-0x000000001C51A000-memory.dmp

memory/436-21-0x000000001C520000-0x000000001C52C000-memory.dmp

C:\Windows\TAPI\smss.exe

MD5 93b41bde029ee047568eaf23be8cf599
SHA1 50ce44062008f18a3127522e5fa94d373c97ca8f
SHA256 b0c1b143e23bdbcaeb5916b4ecb941fe5072023136e157394df8d1e1c306bf84
SHA512 8744ac0e952e5e1d9f40dc89a9131353c475d8eeb309d34e68209e985e16fff80e1df3a16282ad48e95e3f27380e6b47e89d2e6df1ac5b652ab8a4b5b85eecf3

C:\Program Files\Common Files\System\dllhost.exe

MD5 1d5284e7be9719a57af56e2c7023ed7a
SHA1 d695d25fce3d6ddc1a889f6d8c925f03e261296d
SHA256 d20ed1c89a7e3eb899acfceacb181d5c23be64aebb3a2704d1b933ba507bf4b0
SHA512 e7c4dc71423bfc48040199d5fd913eb4a86dc3a9cc4a8921294e68b6cfa4b9d9ca397508c90f25d6595722b3162601fbbffaf024d05ff9ad469ecda259d7db9e

memory/436-164-0x00007FFB89CE3000-0x00007FFB89CE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2HVdYORdue.bat

MD5 2931b4655b9fe531af681c7e7336842e
SHA1 e015eff0bc48bce2fc99ffcd6aec58e9d3c62ff7
SHA256 1fea705d22be06e14b0b83c6db68f5e4bb177b2652147e91cbc0441830e7cb1e
SHA512 b24c4b8967a713bdb4940ecdac2c944e6950298c4e09fb978b669ef69627f82fe60aee03affcabc44c665a458c5af9ba9c8a77b26345764cfc39484b3028bc4e

memory/436-172-0x00007FFB89CE0000-0x00007FFB8A7A1000-memory.dmp

memory/3200-176-0x000000001D5F0000-0x000000001D602000-memory.dmp