Malware Analysis Report

2025-08-10 11:51

Sample ID 241230-c4fp9svqan
Target b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe
SHA256 b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd

Threat Level: Known bad

The file b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

DCRat payload

DcRat

Process spawned unexpected child process

UAC bypass

Dcrat family

DCRat payload

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: CmdExeWriteProcessMemorySpam

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 02:37

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 02:37

Reported

2024-12-30 02:40

Platform

win7-20240903-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\System32\GroupPolicy\sppsvc.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\GroupPolicy\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\RCXC89D.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\RCXC89E.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Windows\System32\GroupPolicy\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files\Windows Sidebar\fr-FR\Idle.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCXC108.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\RCXCAA1.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\RCXCAA2.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\RCXCCA6.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\csrss.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\fr-FR\RCXD73A.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files\Windows Defender\fr-FR\csrss.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCXC176.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\fr-FR\Idle.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files\Windows Sidebar\fr-FR\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\fr-FR\RCXD739.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files\Windows Defender\fr-FR\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\RCXCCA7.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Vss\Writers\Application\RCXB79E.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\Fonts\RCXBC16.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\Fonts\System.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\AppCompat\Programs\RCXD9AB.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\AppCompat\Programs\lsm.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Windows\AppCompat\Programs\101b941d020240 C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Windows\Migration\WTR\services.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\en-US\RCXC3AA.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\Migration\WTR\RCXC689.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\AppCompat\Programs\RCXD9AC.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Windows\Vss\Writers\Application\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\Vss\Writers\Application\audiodg.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Windows\Migration\WTR\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Windows\AppCompat\Programs\lsm.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\Fonts\RCXBC15.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\en-US\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\Migration\WTR\services.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Windows\Vss\Writers\Application\audiodg.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Windows\Fonts\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Windows\en-US\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Windows\en-US\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Windows\servicing\en-US\dllhost.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\Vss\Writers\Application\RCXB79F.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\en-US\RCXC3A9.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\Migration\WTR\RCXC61B.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Windows\Fonts\System.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
N/A N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\GroupPolicy\sppsvc.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\System32\GroupPolicy\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\GroupPolicy\sppsvc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe

"C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\Application\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\Application\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Public\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\en-US\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\GroupPolicy\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\GroupPolicy\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\GroupPolicy\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\fr-FR\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\fr-FR\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\fr-FR\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\Programs\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\AppCompat\Programs\lsm.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xx1rvPQXwC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\GroupPolicy\sppsvc.exe

"C:\Windows\System32\GroupPolicy\sppsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cr39969.tw1.ru udp
RU 185.114.245.123:80 cr39969.tw1.ru tcp
RU 185.114.245.123:80 cr39969.tw1.ru tcp

Files

memory/2508-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

memory/2508-1-0x0000000000140000-0x000000000040A000-memory.dmp

memory/2508-2-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

memory/2508-3-0x0000000000410000-0x000000000041E000-memory.dmp

memory/2508-4-0x0000000000420000-0x000000000043C000-memory.dmp

memory/2508-5-0x0000000000440000-0x0000000000448000-memory.dmp

memory/2508-6-0x0000000000450000-0x0000000000460000-memory.dmp

memory/2508-7-0x0000000000700000-0x0000000000716000-memory.dmp

memory/2508-8-0x0000000000460000-0x0000000000468000-memory.dmp

memory/2508-9-0x0000000000670000-0x000000000067A000-memory.dmp

memory/2508-10-0x00000000008E0000-0x0000000000936000-memory.dmp

memory/2508-11-0x0000000000730000-0x0000000000738000-memory.dmp

memory/2508-12-0x0000000000740000-0x0000000000752000-memory.dmp

memory/2508-13-0x0000000000750000-0x0000000000758000-memory.dmp

memory/2508-14-0x00000000021F0000-0x00000000021FC000-memory.dmp

memory/2508-15-0x0000000002200000-0x0000000002208000-memory.dmp

memory/2508-16-0x0000000002210000-0x000000000221C000-memory.dmp

memory/2508-17-0x0000000002220000-0x000000000222E000-memory.dmp

memory/2508-18-0x0000000002230000-0x000000000223E000-memory.dmp

memory/2508-19-0x00000000023D0000-0x00000000023DC000-memory.dmp

memory/2508-20-0x0000000002460000-0x000000000246C000-memory.dmp

memory/2508-23-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe

MD5 1d7d311dcf59159f75a359a7da19226c
SHA1 6c4b66600d421112b33372f85168bba68c6fac38
SHA256 b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd
SHA512 a7bd62f683a7e50c31654136faf1eec8a51fdcf965541a21df0e5165315d6aafe899c30abd4c5d3eeb1970b41128e62ff63a3866a87d227dbc549d597d5953bd

C:\Users\Public\lsm.exe

MD5 3dccd11a0a5e407ef1e198d2548b198f
SHA1 1e36090db62cbb0d10b7caa76f172c0c58d5775b
SHA256 cd34f7a5d2d5978dd46d1ab05ff45838571243ce57a7becb2bf09898fecbc1c9
SHA512 4e43bc7d2064a2350d23ff70b617fd237cb84e52088fb950f609fbeb1c51eed9612d77dc23129417e78eaad96df34862b6410accd8fcae6a52b7503223405d7b

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe

MD5 b143e9d652c1862fbd963ce19df7863a
SHA1 1f9ee3d1e87aeb05399203727b27462df7fc1134
SHA256 fe3052033c5d5f967df9b2c50d1d09f060ddef8f9320e824f0550562156e8cd4
SHA512 9865d8df3e3062d79916add0d8f686866d451f4fb430e63b12877932b601e7a6c7eb93a29fcaa5b2ec6163f0585004d76a9c9024d07a7e47ffff8a82d75314f0

C:\Windows\Migration\WTR\services.exe

MD5 d4ed6fba088d12883a2413404da6a7dc
SHA1 e29cc36e6ea30b642de5ec22b195c7c065529457
SHA256 ea46642af13bd092640b228cbe587483ab161f4dc494a10766f74ea084288739
SHA512 7f6dc3c5a31700dbb24ec8dd4c0e78537e65cfc52529fc2e394fc919a8fe5ab3c6e47a9dd63448e4320a0c552d0b4b4378de9e43a43e55aa5337cb500e038bd5

memory/2508-197-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

C:\Users\Default\spoolsv.exe

MD5 1179fe317003f5ad03405c7771fa1d3c
SHA1 fd038a7b3eb292cb22c990524e349792d5d236cf
SHA256 735a5220c766110b1bfa4dc8ab63e15c11611b3890063640521907f2bf3d8c0b
SHA512 7e6534c67fafec0b0a198242befec6692e279f1750b51be58483a8969f409b8461d0f7029b3adbc80dc9498729f2397ef631cd43614c726bd034dc3a18a7e704

memory/2508-211-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

C:\Program Files\Windows Sidebar\fr-FR\RCXD739.tmp

MD5 c3c36bae6fc59c7b28be28909a2fcf1a
SHA1 319cc0459299dfd70205b6678f0bf908d0fdd7d3
SHA256 417384c997cf2a188bde44b8c894099360907e2f9a8adc4573509122d0abb54b
SHA512 03b5dc54bce2a67a7367caa71147f55fc5dda9c71d6c8223cd8265dd41733c056df66f01b8b267cbce83635ddf29bb4f5468486b953d3cf3cb81a0db36483ee6

memory/2508-234-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

memory/2508-240-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xx1rvPQXwC.bat

MD5 291182021250cd7a1e7a50b069c32b11
SHA1 d3e00b8c8f879905ee01c66fc3383ac30e0a9cf1
SHA256 9f3d03235a88afad781f8cf6974a30bab15f2f06b47f1f9a3206bd6d0fca9d35
SHA512 33cc647a0408736391ea64a40953f7f5f59b5187cbf65a414d8fff33f743a05505b10978797867788a51276b623689593505cc094e800c6e8a3e1cb7d13ae223

memory/2564-244-0x0000000000DF0000-0x00000000010BA000-memory.dmp

memory/2564-245-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 02:37

Reported

2024-12-30 02:40

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\de-DE\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Defender\de-DE\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Defender\de-DE\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Defender\de-DE\System.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Defender\de-DE\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\de-DE\System.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\sihost.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\RCXB8B7.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\RCXC0CC.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\dotnet\RCXC7E7.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files (x86)\Google\Temp\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\System.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCXCA88.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\RCXD1D1.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RCXD4C2.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files (x86)\Windows Defender\de-DE\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files\dotnet\sihost.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCXCA89.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files (x86)\Google\Temp\Registry.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\RCXD1D2.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files\Microsoft Office\Office16\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\System.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files\Microsoft Office\Office16\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files\Windows Portable Devices\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files\Windows Portable Devices\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files (x86)\Google\Temp\Registry.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RCXD454.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files\dotnet\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\System.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\dotnet\RCXC7E6.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files (x86)\Google\Temp\RCXCF20.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files (x86)\Windows Defender\de-DE\System.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\RCXB974.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\RCXC0CD.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Program Files (x86)\Google\Temp\RCXCF9E.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Prefetch\RCXD90B.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\Prefetch\RCXD989.tmp C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File opened for modification C:\Windows\Prefetch\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Windows\Prefetch\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
File created C:\Windows\Prefetch\1d0642f76d2662 C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
N/A N/A C:\Program Files (x86)\Windows Defender\de-DE\System.exe N/A
N/A N/A C:\Program Files (x86)\Windows Defender\de-DE\System.exe N/A
N/A N/A C:\Program Files (x86)\Windows Defender\de-DE\System.exe N/A
N/A N/A C:\Program Files (x86)\Windows Defender\de-DE\System.exe N/A
N/A N/A C:\Program Files (x86)\Windows Defender\de-DE\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Defender\de-DE\System.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\de-DE\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Defender\de-DE\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Defender\de-DE\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe

"C:\Users\Admin\AppData\Local\Temp\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\My Documents\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office16\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office16\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Recent\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\dotnet\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre-1.8\lib\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre-1.8\lib\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efdb" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd" /sc ONLOGON /tr "'C:\Windows\Prefetch\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efdb" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbIz777asp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Defender\de-DE\System.exe

"C:\Program Files (x86)\Windows Defender\de-DE\System.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 cr39969.tw1.ru udp
RU 185.114.245.123:80 cr39969.tw1.ru tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
RU 185.114.245.123:80 cr39969.tw1.ru tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1340-0-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

memory/1340-1-0x0000000000F80000-0x000000000124A000-memory.dmp

memory/1340-2-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

memory/1340-3-0x0000000001B00000-0x0000000001B0E000-memory.dmp

memory/1340-4-0x0000000003570000-0x000000000358C000-memory.dmp

memory/1340-5-0x000000001C560000-0x000000001C5B0000-memory.dmp

memory/1340-7-0x00000000035A0000-0x00000000035B0000-memory.dmp

memory/1340-6-0x0000000003590000-0x0000000003598000-memory.dmp

memory/1340-8-0x00000000035B0000-0x00000000035C6000-memory.dmp

memory/1340-9-0x00000000035D0000-0x00000000035D8000-memory.dmp

memory/1340-10-0x00000000035F0000-0x00000000035FA000-memory.dmp

memory/1340-11-0x000000001C5B0000-0x000000001C606000-memory.dmp

memory/1340-12-0x00000000035E0000-0x00000000035E8000-memory.dmp

memory/1340-13-0x000000001BED0000-0x000000001BEE2000-memory.dmp

memory/1340-14-0x000000001CB30000-0x000000001D058000-memory.dmp

memory/1340-16-0x000000001BF20000-0x000000001BF2C000-memory.dmp

memory/1340-15-0x000000001BF00000-0x000000001BF08000-memory.dmp

memory/1340-17-0x000000001BF30000-0x000000001BF38000-memory.dmp

memory/1340-20-0x000000001C810000-0x000000001C81E000-memory.dmp

memory/1340-18-0x000000001BF40000-0x000000001BF4C000-memory.dmp

memory/1340-22-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

memory/1340-24-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

memory/1340-23-0x000000001C830000-0x000000001C83C000-memory.dmp

memory/1340-21-0x000000001C820000-0x000000001C82C000-memory.dmp

memory/1340-19-0x000000001C800000-0x000000001C80E000-memory.dmp

C:\Recovery\WindowsRE\unsecapp.exe

MD5 1d7d311dcf59159f75a359a7da19226c
SHA1 6c4b66600d421112b33372f85168bba68c6fac38
SHA256 b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd
SHA512 a7bd62f683a7e50c31654136faf1eec8a51fdcf965541a21df0e5165315d6aafe899c30abd4c5d3eeb1970b41128e62ff63a3866a87d227dbc549d597d5953bd

C:\Program Files\Microsoft Office\Office16\SearchApp.exe

MD5 bfb0e24b2550e2a3a349bc6d3a2db938
SHA1 8f158df9be412e6900143c82531634aa62ddb538
SHA256 64382c74c6235456bd2cdeffae70b5f74124070bc4b20df5283a07ff2c87bb8e
SHA512 72e01cd9a186e868e17fc25f566ebb6fbf74ace021f9a45f264921d6bc0463abd938b4e30c5e4b83c9e1022fc441ca40be03f06dad40eead7dee35d74a261be6

C:\Recovery\WindowsRE\unsecapp.exe

MD5 5fbf26f52cd2eaac85cfc3e339509020
SHA1 b50773f2a2df87d2269973de08caa35f00ce16e6
SHA256 dcc82314995e074943ddae1fb6f46e05f38d1d0a85567122123c74d443c7ab0b
SHA512 f512a17bb3aa58cc4b64cd9df0a626373c63762442b447a7fc4129998e1a92fb91085fc565ad3b99bc9475825b575738482e9c3575cc9604dc557cfbccc39590

memory/1340-155-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

memory/1340-167-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

C:\Recovery\WindowsRE\SppExtComObj.exe

MD5 8aae8aa6f3e015a7ebf032f584d0bfc3
SHA1 858c005e5032987c113ad7ee749167bebdc65dc1
SHA256 1436a83e958774aae459deb4a1a27f77853223dbd04f08b17580622851de3034
SHA512 ba0a5352df8d3c14337b3acd993fa8ec449764e6608ff7837393361a80a4b72131abd055260933a64607378c55849df407a5623ba857491417a0e51cf5d3c97b

C:\Program Files (x86)\Google\Temp\Registry.exe

MD5 d285137648e1868dd27ada1a95943439
SHA1 9e663ca7319949f161ae9098044be75b0cf46aeb
SHA256 f58e475acc1dc5d0723334c8a43bc67df529e57ec57793d35ec3f84ebe7cf0da
SHA512 3d7f2898acd9ffe8e7f2ff60124187c62cc5c05e645337ffd2c4db7167f948782dfb0a77280bbc4b12843efeac5b3f11ae5ff32c059c6d15c08dba74d502a6db

memory/1340-213-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe

MD5 1c44ccd3d708b7aefecb3e498bce55bf
SHA1 655420619a0b39df9629de40490d600f4ae9cb7f
SHA256 c082540e1eda85f47a2443a0717efcc1ccf5267bc71ede3eda3a30533d8a95e1
SHA512 5ba7c6c0c41fa782ee3f7d7b57abc55dd28b088c571b89078b1ad5c68bf0c59f80d71ded0c7dd54b3b3249b123f2a23084b292d0cdcc32489c0966eb5fca4038

C:\Windows\Prefetch\b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd.exe

MD5 dd14a399c38ac4f643d53510540eaf84
SHA1 fd7ce90b55463ea726a8d959316dc3fc1aa5fd67
SHA256 eec73eb05fee0ec132789a322569f52b8ee91334b5b315fb8c74c65c048d4f45
SHA512 9ba2b71ef057931efd1fd5c8e6e9fbb85d1f0791fc57046f06013a0b0e797a4a33f5ab7483057821d232cc45abfbaf02903e04440e51a77ec3ab3ed31d8a29d1

C:\Users\Admin\AppData\Local\Temp\bbIz777asp.bat

MD5 f64474af7af16925dbc73fc136722ca7
SHA1 d1e6f6fdaf3d72ff4d89a3b73fb889c4bfe321ba
SHA256 2e36e11d8624065fa57a9b319c02acf39bb93b44a4f0b2f522dff2a62dc447c8
SHA512 30073efc97e0e10513f7fb1800f2febe4dc91e31b03d5640c288d48db487832e765015d33d751313e71463c5eacab8c1757d0756d5c05ac45cd1aeb5ce0c095c

memory/1340-267-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

memory/3892-271-0x00000000033D0000-0x00000000033E2000-memory.dmp