Malware Analysis Report

2024-12-07 03:17

Sample ID 241114-f8bhwsvgjn
Target 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
SHA256 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58
Tags
dcrat discovery execution infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58

Threat Level: Known bad

The file 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe was found to be: Known bad.

Malicious Activity Summary

dcrat discovery execution infostealer persistence rat spyware stealer

Process spawned unexpected child process

Dcrat family

Modifies WinLogon for persistence

DcRat

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Uses Task Scheduler COM API

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 05:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 05:32

Reported

2024-11-14 05:34

Platform

win7-20241010-en

Max time kernel

141s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\csrss.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\lsm.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\csrss.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\csrss.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\csrss.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\csrss.exe\", \"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\lsm.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Java\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\VideoLAN\\VLC\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\VideoLAN\\VLC\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Java\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\security\\ApplicationId\\PolicyManagement\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\9w3j6e.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\CSC97965B20833D493AAC47CB9B9269EE9.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Program Files\VideoLAN\VLC\24dbde2999530e C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Media Renderer\lsm.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Media Renderer\101b941d020240 C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Program Files\Java\csrss.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\security\ApplicationId\PolicyManagement\lsm.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Windows\security\ApplicationId\PolicyManagement\101b941d020240 C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2676 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2676 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2760 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2760 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2760 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2676 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\cmd.exe
PID 2676 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\cmd.exe
PID 2676 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\cmd.exe
PID 484 wrote to memory of 236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 484 wrote to memory of 236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 484 wrote to memory of 236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 484 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 484 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 484 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 484 wrote to memory of 2384 N/A C:\Windows\System32\cmd.exe C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe
PID 484 wrote to memory of 2384 N/A C:\Windows\System32\cmd.exe C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe
PID 484 wrote to memory of 2384 N/A C:\Windows\System32\cmd.exe C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

"C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\csrss.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wyfaveo0\wyfaveo0.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA841.tmp" "c:\Windows\System32\CSC97965B20833D493AAC47CB9B9269EE9.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e586" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e586" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\ApplicationId\PolicyManagement\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P5jIi4Pr6U.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe

"C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 221580cm.nyashkoon.in udp
FR 37.44.238.250:80 221580cm.nyashkoon.in tcp
FR 37.44.238.250:80 221580cm.nyashkoon.in tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2676-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

memory/2676-1-0x00000000012D0000-0x00000000014D4000-memory.dmp

memory/2676-2-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2676-3-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2676-4-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2676-6-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

memory/2676-8-0x0000000000B50000-0x0000000000B6C000-memory.dmp

memory/2676-10-0x0000000000B70000-0x0000000000B88000-memory.dmp

memory/2676-12-0x0000000000B90000-0x0000000000BA2000-memory.dmp

memory/2676-13-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2676-14-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2676-15-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2676-17-0x0000000000B30000-0x0000000000B3E000-memory.dmp

memory/2676-19-0x0000000000B40000-0x0000000000B4E000-memory.dmp

memory/2676-20-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2676-22-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

memory/2676-23-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2676-24-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2676-26-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

C:\Program Files\Java\csrss.exe

MD5 43a09f586ae8fe86191c47743b5cf744
SHA1 a8bc2177c871d0d29e93737a7ebcaa3da8f182de
SHA256 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58
SHA512 ff8acde081b435a1bb0f204359bd7227b380a66e61472546016db41c53c7708c91215af8fbc3fdc8a99d1e15f6139c3e278b04dc483ecc3d952a2d1240efa104

\??\c:\Users\Admin\AppData\Local\Temp\wyfaveo0\wyfaveo0.cmdline

MD5 98e5dd25034587468481ca2597a27199
SHA1 7f56a88519e5c1c571f5d90b9cf8dbdca71078d3
SHA256 8a7caa88dfb7adf22ab7bdfbb5df71763b4d4437656d143fc39e8efb57768b12
SHA512 12ca89ed49a9a24460a3f0b1c0858b8c063152396bb5e7c9f14daf57c5f1ac2b61f4a475c79ddd7d0cb911a29f30b16445f16d6a5673607916a7b1a47f6630cd

\??\c:\Users\Admin\AppData\Local\Temp\wyfaveo0\wyfaveo0.0.cs

MD5 b868addbf97b6f1d1604eec40c1c5ee8
SHA1 4a1f59ea8e337c7b49fcbf3fe560779698a50776
SHA256 bb79a728a63fa012aa26ab5550af8209f017720bba55c2a094490bdfb985d5d7
SHA512 3592d928264dc1769c07f373c9ea49cd923dbeeaf8e5c333f00ec49081e78fd5112beee4d1e5d8186145bffd27265a4e8e586d28b799e3fbf05728c966052a2b

\??\c:\Windows\System32\CSC97965B20833D493AAC47CB9B9269EE9.TMP

MD5 70046c6c63d509bb29450ef32b59dda3
SHA1 26802b73997ee22a7cd3d07ae77016969603cf00
SHA256 dd0e7409cd9412eafdd8f881d6094fb539ad19c7a54d76043de655a00f80f5d0
SHA512 d7b8d4ed84b8e1f5e416c378872bb7bc6d884341f0aa76f2c3b664f1ad0324a2d749c51718f3940d61663d152c35ba241ce0def03a002c6423a4d0957866c96f

C:\Users\Admin\AppData\Local\Temp\RESA841.tmp

MD5 882272dc92f38a0f1ea7126ca1c59616
SHA1 1a326b040ffa0b466b3751f3d7afb916328a4020
SHA256 a4c9b234916b7e9994fa6427bfad16625644f725de497bfc822f3dae897d6920
SHA512 f79782a4657de87f4132a9ab9bcf1dab9e66892b949156fc2a8ea68f76bc4ac5e7bef00d566e3e14cb93b389b9af034e2bfe1a3d0abd8455500e492290839077

memory/2676-50-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

memory/2676-51-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2676-52-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E4ZRI46PQAJIMY7SCBJY.temp

MD5 2dcb55e09b422f4f7ecc3ef730f8b492
SHA1 c7294e3224042a1b709556af0b0a7c8100a60d0c
SHA256 cd06d69257688e798875c2234070a65fc5d73ce02c1ab031b0f1100ffcde403d
SHA512 5e0495d73baf143153a7e3da28321ef706b7904d87203ecd834e55028ce210f02b659459241165e6b17cca401fefc25c88f0ae7adfeb2cf7fea1dbaaec1b36c2

memory/2676-72-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\P5jIi4Pr6U.bat

MD5 5cfbbb02929578e011fa8e0f058c94aa
SHA1 502bee3c3096073893f8372a97d5ce72acb3ea70
SHA256 f23b0b34523453d249af2890d33fd9b76cf36426279123a9b5691566959c1d41
SHA512 86f14a4c7bd1e4f7ba64fcd606870d43ae165d2d0ad57615c262c9730a8c7930aa429d4f31b903831873266090c7dd0e8d8d533f798dc8953573fc75fbb06902

memory/1524-74-0x0000000002880000-0x0000000002888000-memory.dmp

memory/1708-73-0x000000001B730000-0x000000001BA12000-memory.dmp

memory/2384-92-0x0000000000830000-0x0000000000A34000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 05:32

Reported

2024-11-14 05:34

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\Default\\Start Menu\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\dotnet\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\ja-JP\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\ja-JP\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\Default\\Start Menu\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\dotnet\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSCAACA5A80DE1842DFAF5169F14783542D.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\kpkopw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Program Files\dotnet\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ja-JP\dllhost.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Windows\ja-JP\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Windows\RemotePackages\RemoteApps\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
File created C:\Windows\ja-JP\dllhost.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2160 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3588 wrote to memory of 4704 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3588 wrote to memory of 4704 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2160 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\cmd.exe
PID 2160 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe C:\Windows\System32\cmd.exe
PID 4472 wrote to memory of 3528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4472 wrote to memory of 3528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4472 wrote to memory of 3532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4472 wrote to memory of 3532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4472 wrote to memory of 1324 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
PID 4472 wrote to memory of 1324 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

"C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Start Menu\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1up5vusy\1up5vusy.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2F7.tmp" "c:\Windows\System32\CSCAACA5A80DE1842DFAF5169F14783542D.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\dotnet\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e586" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e586" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\SearchApp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\backgroundTaskHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u3YNNGkAjA.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe

"C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 221580cm.nyashkoon.in udp
FR 37.44.238.250:80 221580cm.nyashkoon.in tcp
FR 37.44.238.250:80 221580cm.nyashkoon.in tcp
US 8.8.8.8:53 250.238.44.37.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2160-0-0x00007FFA81943000-0x00007FFA81945000-memory.dmp

memory/2160-1-0x00000000003C0000-0x00000000005C4000-memory.dmp

memory/2160-2-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/2160-3-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/2160-4-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/2160-6-0x0000000000DA0000-0x0000000000DAE000-memory.dmp

memory/2160-7-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/2160-10-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/2160-15-0x000000001B250000-0x000000001B262000-memory.dmp

memory/2160-13-0x000000001B120000-0x000000001B138000-memory.dmp

memory/2160-11-0x000000001B6F0000-0x000000001B740000-memory.dmp

memory/2160-9-0x0000000002810000-0x000000000282C000-memory.dmp

memory/2160-16-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/2160-17-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/2160-18-0x000000001BC70000-0x000000001C198000-memory.dmp

memory/2160-20-0x00000000027F0000-0x00000000027FE000-memory.dmp

memory/2160-25-0x0000000002830000-0x0000000002838000-memory.dmp

memory/2160-27-0x000000001B270000-0x000000001B27C000-memory.dmp

memory/2160-28-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/2160-23-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/2160-22-0x0000000002800000-0x000000000280E000-memory.dmp

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\SearchApp.exe

MD5 43a09f586ae8fe86191c47743b5cf744
SHA1 a8bc2177c871d0d29e93737a7ebcaa3da8f182de
SHA256 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58
SHA512 ff8acde081b435a1bb0f204359bd7227b380a66e61472546016db41c53c7708c91215af8fbc3fdc8a99d1e15f6139c3e278b04dc483ecc3d952a2d1240efa104

memory/2160-43-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\1up5vusy\1up5vusy.cmdline

MD5 a295506adce945cfb12e88deed336254
SHA1 91d86e1a0d5f09bff53628f7a409578384191fa8
SHA256 69e49d732802080f3d560e03ccd43e8c7959ab56d810062693d370d98ba64271
SHA512 e11ccec6adb4f7be172561e3fe1b044b3abd257c8d640859dd14f530caa8c739bc956d13f1a98892c221d4d361bd9c63bf409567ede1ae1bccc31927c2f9b518

\??\c:\Users\Admin\AppData\Local\Temp\1up5vusy\1up5vusy.0.cs

MD5 445a41ef5082677d2b7e186c24217d80
SHA1 b6ca840e3dc7a9235344373fd6befbc63721c794
SHA256 fcde1ac0dfd752633140e9b13ad2d2163db08bc0d8fca64d09b90f1f79d69bf2
SHA512 abf1ce07ce8b85c289562c8da640f0d74e8245de3d039cc445c4be5d0f61465405d180d0d86cf4a858361a5b9d433cb69b33a6457b5beefd537d87d33d9d829e

C:\Users\Admin\AppData\Local\Temp\RESA2F7.tmp

MD5 87359ce8075b74a9bcc2501292cea4a7
SHA1 0c25b2667a9cbdbb99faeeab3efc8d16977683e6
SHA256 e98c23b975a07994713a02d576bcc5819c2da328a72a4ff066cf3c4549039aa6
SHA512 6deeb43b216b7c15911467c82015da248ea84a9f026d545dfeac392fee33807381c796b41441c7cf5506ddd8197f5ce675c832641ece99c0ad004a68426a4e21

\??\c:\Windows\System32\CSCAACA5A80DE1842DFAF5169F14783542D.TMP

MD5 7bbfaf1199741b237d2493615c95c6d7
SHA1 86d466217c4dc1e0808f83ceda8f4b4df948b5dc
SHA256 e20e4619dbc932a216fd93f86fe0af2e915f4c2ba6177fc3581da59885094476
SHA512 2eda9bf71dc4a4583b7b8e9a6aab0f91d98cca68ee4309df1a4d26541917678da09a15d712397ae4b95fe95b65c8aa6eeab94d7620a5546b3df6c00306ef4a5c

memory/2160-53-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/2160-54-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/2160-60-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/4420-70-0x0000027DF8950000-0x0000027DF8972000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qvdox1ec.0f3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\u3YNNGkAjA.bat

MD5 c9abed4566092e2451550229ebcee6ee
SHA1 9d0eb3a3e9d14ac00b61977e8bb349d349287e42
SHA256 e78a471156d5ba77ae6c6ab7ddec6559498faf13529944ed2a4a0eeaebb922cb
SHA512 057ed11bcec6975d379480709accd25ab018d9a89dd2ec3cac760e9cf6b121e36c813b85dcbd73fcfec1b2fbba43a49529a6ddf12676e491dc238c0b9a06c01f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe.log

MD5 fb439153f3774b1c4f02ec154d525829
SHA1 83f284b217d57ea407a4c9fa90133b8b11c173a7
SHA256 640fc9ffd4a6afecff4f61ac9484f4722fa7fb9ed4f1b9aa36d1f28c9e227b33
SHA512 f0cc8a5e88ddb034cd9ab37997f8cd1ea32460d04dc636b0a9f16d5dede430ad1a8e929b0e3dc4224dcab838b7f02423790ad004f48a9abf46c8098663ae2bb4