Malware Analysis Report

2024-12-07 03:17

Sample ID 241114-f43rksvfqq
Target 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
SHA256 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58
Tags
dcrat discovery execution infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58

Threat Level: Known bad

The file 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe was found to be: Known bad.

Malicious Activity Summary

dcrat discovery execution infostealer persistence rat spyware stealer

Process spawned unexpected child process

Dcrat family

DcRat

Modifies WinLogon for persistence

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 05:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 05:26

Reported

2024-11-14 05:28

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\All Users\\Favorites\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\All Users\\Favorites\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\All Users\\Favorites\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\audiodg.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\All Users\\Favorites\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\audiodg.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\MSBuild\winlogon.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Favorites\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\MSBuild\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Favorites\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC797F64D6C1124E22AAED1FCADA447C4.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\qmeprf.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MSBuild\winlogon.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Program Files (x86)\MSBuild\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2544 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2544 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2584 wrote to memory of 1860 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2584 wrote to memory of 1860 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2584 wrote to memory of 1860 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2544 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\cmd.exe
PID 2544 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\cmd.exe
PID 2544 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\cmd.exe
PID 788 wrote to memory of 1452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 788 wrote to memory of 1452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 788 wrote to memory of 1452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 788 wrote to memory of 356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 788 wrote to memory of 356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 788 wrote to memory of 356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 788 wrote to memory of 2284 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\winlogon.exe
PID 788 wrote to memory of 2284 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\winlogon.exe
PID 788 wrote to memory of 2284 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\winlogon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

"C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xv5h53ey\xv5h53ey.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD845.tmp" "c:\Windows\System32\CSC797F64D6C1124E22AAED1FCADA447C4.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Favorites\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e586" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e586" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\OSPPSVC.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QMh4TGGzQW.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files (x86)\MSBuild\winlogon.exe

"C:\Program Files (x86)\MSBuild\winlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 221580cm.nyashkoon.in udp
FR 37.44.238.250:80 221580cm.nyashkoon.in tcp
FR 37.44.238.250:80 221580cm.nyashkoon.in tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2544-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

memory/2544-1-0x00000000002A0000-0x00000000004A4000-memory.dmp

memory/2544-2-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2544-3-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2544-4-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2544-6-0x0000000000620000-0x000000000062E000-memory.dmp

memory/2544-7-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2544-8-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2544-11-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2544-10-0x0000000000650000-0x000000000066C000-memory.dmp

memory/2544-17-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2544-16-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2544-15-0x0000000000720000-0x0000000000732000-memory.dmp

memory/2544-13-0x0000000000700000-0x0000000000718000-memory.dmp

memory/2544-20-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2544-21-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

memory/2544-28-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2544-27-0x0000000000740000-0x000000000074C000-memory.dmp

memory/2544-25-0x0000000000670000-0x0000000000678000-memory.dmp

memory/2544-23-0x0000000000640000-0x000000000064E000-memory.dmp

memory/2544-19-0x0000000000630000-0x000000000063E000-memory.dmp

C:\Program Files (x86)\MSBuild\winlogon.exe

MD5 43a09f586ae8fe86191c47743b5cf744
SHA1 a8bc2177c871d0d29e93737a7ebcaa3da8f182de
SHA256 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58
SHA512 ff8acde081b435a1bb0f204359bd7227b380a66e61472546016db41c53c7708c91215af8fbc3fdc8a99d1e15f6139c3e278b04dc483ecc3d952a2d1240efa104

\??\c:\Users\Admin\AppData\Local\Temp\xv5h53ey\xv5h53ey.cmdline

MD5 7ff84dd16a251cf561c9e26dc90ea6ab
SHA1 84bc607f09034ca9e14f4bd1883e37040cb1df67
SHA256 0a31fc6d0c6f2a87ace241e7d4433106de536cf49bb849487507093fdb5710f8
SHA512 cc877aedf8b5ebd624a058b838ad5f88fc71a5d210c3859fb6ac1caa8e5ba2131919b3780286d691a5b8772925022a0d8e5a169093b6815475b06ab01db8939f

\??\c:\Users\Admin\AppData\Local\Temp\xv5h53ey\xv5h53ey.0.cs

MD5 9bfdc74d290fe847832832db70b4e549
SHA1 b252be6a72ba79af590e6cd896a2ddddc3421891
SHA256 448a3fb67e6395bed2ca4dd8fc2332bca3faa3cb1b209acc0fee780bf09cfa93
SHA512 7bc00c136625f5ef578e8450b0b655b0b258fe96caf1f49a3bda450402f38c075c1879638f1e88fcabb2825225d7e213ea8b461b83f82d217ac166d66886ee72

\??\c:\Windows\System32\CSC797F64D6C1124E22AAED1FCADA447C4.TMP

MD5 167c870490dc33ec13a83ebb533b1bf6
SHA1 182378ebfa7c8372a988dee50a7dd6f8cda6a367
SHA256 3f742a374ad5a8da8fba9dfea27c7382dde145d46732cfc0002a53a1311df5e6
SHA512 1b48bb5f270f5d99d9dd98cd9da5866aed9377957d92bf1d686878522c438b38a444073c1a0ed4cc85f97315d2ef6abf05b74ab2265fecb20be5795b2ccef64e

C:\Users\Admin\AppData\Local\Temp\RESD845.tmp

MD5 8fe34f56303321538008cb8c3e74a2ac
SHA1 29ab579abeb3e210f68b1c7ee85db047a54fb982
SHA256 ae4b26aa24b54bbae1a194923efd7f1316fff25bda89955fb62ecc60c539e64d
SHA512 ce0dffc464eb6117a528979d33a36f56a0235983665fc0d2021bfe8885595d6cbc46ca29f6dd081acf778cf4dee528e53f41029245bd72592117247cfdc8ef12

memory/2544-52-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2544-53-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2544-54-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/1080-71-0x000000001B630000-0x000000001B912000-memory.dmp

memory/2544-70-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XUHQK88HOTG6VVAHNLLI.temp

MD5 4d0f0186517f6af8f22c9e99a64d9eea
SHA1 430648afbf74777d26e29a2595c8519745ea54ec
SHA256 761549d6f6b579825e521fe55c505fa5ef74a56e903ebf635cf2fc60944a83ce
SHA512 a4763474f0463b008e2788dbe68e74b24e41a34a3e3970f486ddf0664972cc549e52bd0220314bae248fc72f6a968305a57cc938f57d5d50d7564e9a226b354b

C:\Users\Admin\AppData\Local\Temp\QMh4TGGzQW.bat

MD5 f4ba642eaae469e502aa17d97b17c67e
SHA1 509456d43331e55a105a2e746714e0b361fbf99b
SHA256 8080b3eb59217759a4b8a4d6454e27a940d4739653d08ab38729f2e0ec1ed5a1
SHA512 4abe5bc5b7e044ce6eefd13efe425fc11a06f1872e20e87659ccf91814f9e6504d6c6156922b598d35df843fa811fa86b0c70ad8297ce98676bda85deaaedbde

memory/848-72-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

memory/2284-91-0x0000000000A60000-0x0000000000C64000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 05:26

Reported

2024-11-14 05:28

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\", \"C:\\Windows\\tracing\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\", \"C:\\Windows\\tracing\\smss.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\", \"C:\\Windows\\tracing\\smss.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Mail\wininit.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Music\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Music\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\tracing\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\tracing\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC932A48A72780499AA72067926DA1C16C.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\s_kgxh.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Mail\wininit.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wininit.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Program Files (x86)\Windows Mail\56085415360792 C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Program Files\ModifiableWindowsApps\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Program Files (x86)\Internet Explorer\it-IT\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Program Files (x86)\Internet Explorer\it-IT\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\tracing\smss.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Windows\tracing\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2864 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4060 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4060 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2864 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\cmd.exe
PID 2864 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\cmd.exe
PID 2696 wrote to memory of 1904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2696 wrote to memory of 1904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2696 wrote to memory of 4496 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2696 wrote to memory of 4496 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2696 wrote to memory of 4188 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Mail\wininit.exe
PID 2696 wrote to memory of 4188 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Mail\wininit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

"C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jcftksot\jcftksot.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA88.tmp" "c:\Windows\System32\CSC932A48A72780499AA72067926DA1C16C.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\tracing\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e586" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e586" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\TextInputHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QkuNgFXync.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Mail\wininit.exe

"C:\Program Files (x86)\Windows Mail\wininit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 221580cm.nyashkoon.in udp
FR 37.44.238.250:80 221580cm.nyashkoon.in tcp
FR 37.44.238.250:80 221580cm.nyashkoon.in tcp
US 8.8.8.8:53 250.238.44.37.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/2864-0-0x00007FFF96F53000-0x00007FFF96F55000-memory.dmp

memory/2864-1-0x0000000000080000-0x0000000000284000-memory.dmp

memory/2864-2-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

memory/2864-3-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

memory/2864-4-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

memory/2864-6-0x0000000002460000-0x000000000246E000-memory.dmp

memory/2864-7-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

memory/2864-9-0x00000000024D0000-0x00000000024EC000-memory.dmp

memory/2864-10-0x000000001B390000-0x000000001B3E0000-memory.dmp

memory/2864-12-0x0000000002620000-0x0000000002638000-memory.dmp

memory/2864-15-0x0000000002650000-0x0000000002662000-memory.dmp

memory/2864-13-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

memory/2864-16-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

memory/2864-17-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

memory/2864-20-0x00000000024B0000-0x00000000024BE000-memory.dmp

memory/2864-18-0x000000001B910000-0x000000001BE38000-memory.dmp

memory/2864-22-0x00000000024C0000-0x00000000024CE000-memory.dmp

memory/2864-24-0x00000000024F0000-0x00000000024F8000-memory.dmp

memory/2864-26-0x0000000002670000-0x000000000267C000-memory.dmp

C:\Recovery\WindowsRE\dwm.exe

MD5 43a09f586ae8fe86191c47743b5cf744
SHA1 a8bc2177c871d0d29e93737a7ebcaa3da8f182de
SHA256 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58
SHA512 ff8acde081b435a1bb0f204359bd7227b380a66e61472546016db41c53c7708c91215af8fbc3fdc8a99d1e15f6139c3e278b04dc483ecc3d952a2d1240efa104

memory/2864-41-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

memory/2864-42-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\jcftksot\jcftksot.cmdline

MD5 3f88461125ef89dec728fea21f2e6a7e
SHA1 e5e17759d21a0503fb74e43d9db8d5d2d52636a6
SHA256 c3e214de642f83d6c991a84f6933f2fd22388c7fe7459e123351cb3fcb0d355b
SHA512 01edfda0595fd03bff9c2e36c2046a12b801484280c86b5b93b353465c97e27e7e74f8f03501c3a65e63353a9b2f0af8ac8d2caebca666c7d513181294af4fca

\??\c:\Users\Admin\AppData\Local\Temp\jcftksot\jcftksot.0.cs

MD5 a149de744452d7d9c3627798e07ad3d6
SHA1 974ddbeaa0ef77d485087e372be0dad0c2bbb6a9
SHA256 4fa31d298fd88157215ecc7bc7ef00277b98486cd1f6ebdc88c298962f20dee0
SHA512 18d97fdc515e6c1201da2ea86d7dabe3e2c948028be2a6342b481cdfbffa60b6407f4203c27c7fa2c68a4d92672cd17df78b4b6a507a3449201cdb9102cd4c44

\??\c:\Windows\System32\CSC932A48A72780499AA72067926DA1C16C.TMP

MD5 634e281a00b7b9f516c3048badfa1530
SHA1 af6369715ce2fe9b99609e470d4f66698880a35a
SHA256 0d990336ae793f3f6903048004c8d707d7a7191927bd7df46b7fe887116506c8
SHA512 1cb35fa0759f5362c9c7eee5546710874121005a3924bcfec2cf33ac90a257a807ce7ec0db7bc84dcb327604d708009449c34f52560ed936b54eeba49be7d27b

C:\Users\Admin\AppData\Local\Temp\RESAA88.tmp

MD5 6431bbdb6f77f2d693f13c37d5b630d0
SHA1 65a7b9f3e8c58d12eb1177d82958fa650478c825
SHA256 2205f0343978f2cb8176f460dbfb7ee1e1d2d3e47c8c62188f70edd462293ce0
SHA512 ad16e5decf974ff84c312c06b1ebdc0503d4bebb3b986c98365a93c0d5c4468abf933b363fd4d6579a95f0a2cf65b0eff6b3f96bfa9560e534d00a51e80427d2

memory/2864-52-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qssjtgen.jvg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1764-66-0x000002317FBF0000-0x000002317FC12000-memory.dmp

memory/2864-87-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

memory/2864-77-0x000000001C540000-0x000000001C655000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QkuNgFXync.bat

MD5 85983d31f36879c00ff17d51a86bd3c0
SHA1 35970d120d663159a7029ce6df9a23cdf51fe334
SHA256 069ab4ea66f5239f7fe518c4be19d8a8cf4ec15282f6f4fef2cd6874f4ac8a4c
SHA512 badc798ab59583a8b0b2ea0d79499c1a44f3003429311e8372ae6112dece7669d11ed811a1eb4f22fa092170d5259bd309419a80a2235401cd4d5023f909387d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 a43e653ffb5ab07940f4bdd9cc8fade4
SHA1 af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256 c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA512 62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

memory/4188-140-0x000000001CDA0000-0x000000001CEB5000-memory.dmp