Malware Analysis Report

2025-08-05 23:54

Sample ID 241230-tmmwpayrdl
Target a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe
SHA256 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177d
Tags
rat dcrat execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177d

Threat Level: Known bad

The file a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat execution infostealer

Process spawned unexpected child process

DcRat

DCRat payload

Dcrat family

DCRat payload

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Checks computer location settings

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 16:10

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 16:10

Reported

2024-12-30 16:12

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\All Users\Documents\WmiPrvSE.exe N/A
N/A N/A C:\Users\All Users\Documents\WmiPrvSE.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXF32E.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\services.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Program Files\Windows Portable Devices\lsass.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\en-US\RCXE462.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\en-US\RCXE4D1.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXF32F.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCXF533.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\lsass.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\en-US\services.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCXF532.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Program Files\Windows Portable Devices\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Windows\security\ApplicationId\PolicyManagement\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\services.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Windows\it-IT\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Windows\Media\Characters\smss.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Windows\diagnostics\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\RCXDC50.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\RCXDE54.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\RCXDE55.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Windows\Media\Characters\RCXE25E.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\services.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Windows\Media\Characters\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Windows\Media\Characters\RCXE25F.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Windows\it-IT\RCXE762.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Windows\it-IT\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Windows\it-IT\24dbde2999530e C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\RCXDC4F.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Windows\Media\Characters\smss.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Windows\it-IT\RCXE6F4.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\All Users\Documents\WmiPrvSE.exe N/A
N/A N/A C:\Users\All Users\Documents\WmiPrvSE.exe N/A
N/A N/A C:\Users\All Users\Documents\WmiPrvSE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Users\All Users\Documents\WmiPrvSE.exe
PID 3052 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Users\All Users\Documents\WmiPrvSE.exe
PID 3052 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Users\All Users\Documents\WmiPrvSE.exe
PID 604 wrote to memory of 2824 N/A C:\Users\All Users\Documents\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 604 wrote to memory of 2824 N/A C:\Users\All Users\Documents\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 604 wrote to memory of 2824 N/A C:\Users\All Users\Documents\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 604 wrote to memory of 1972 N/A C:\Users\All Users\Documents\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 604 wrote to memory of 1972 N/A C:\Users\All Users\Documents\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 604 wrote to memory of 1972 N/A C:\Users\All Users\Documents\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 2824 wrote to memory of 340 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\WmiPrvSE.exe
PID 2824 wrote to memory of 340 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\WmiPrvSE.exe
PID 2824 wrote to memory of 340 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\WmiPrvSE.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe

"C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WMIADAP.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Characters\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Media\Characters\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Characters\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\en-US\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Users\All Users\Documents\WmiPrvSE.exe

"C:\Users\All Users\Documents\WmiPrvSE.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e01d0f64-bab7-447d-873d-7113f08c5dcf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d98eaecb-a980-4b9f-af27-4df86f571112.vbs"

C:\Users\All Users\Documents\WmiPrvSE.exe

"C:\Users\All Users\Documents\WmiPrvSE.exe"

Network

Country Destination Domain Proto
PL 95.214.53.31:80 95.214.53.31 tcp

Files

memory/3052-0-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

memory/3052-1-0x0000000000BF0000-0x0000000000DA6000-memory.dmp

memory/3052-2-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

memory/3052-3-0x00000000003F0000-0x000000000040C000-memory.dmp

memory/3052-4-0x0000000000140000-0x0000000000148000-memory.dmp

memory/3052-5-0x00000000001E0000-0x00000000001F0000-memory.dmp

memory/3052-6-0x00000000005E0000-0x00000000005F6000-memory.dmp

memory/3052-7-0x0000000000450000-0x0000000000462000-memory.dmp

memory/3052-8-0x0000000000620000-0x0000000000630000-memory.dmp

memory/3052-9-0x0000000000600000-0x000000000060C000-memory.dmp

memory/3052-10-0x0000000000610000-0x0000000000618000-memory.dmp

memory/3052-12-0x0000000000630000-0x000000000063C000-memory.dmp

memory/3052-13-0x0000000000640000-0x000000000064C000-memory.dmp

memory/3052-14-0x0000000000650000-0x000000000065A000-memory.dmp

memory/3052-16-0x0000000000670000-0x000000000067C000-memory.dmp

memory/3052-15-0x0000000000660000-0x0000000000668000-memory.dmp

memory/3052-17-0x0000000000680000-0x000000000068C000-memory.dmp

memory/3052-20-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

C:\Windows\Media\Characters\smss.exe

MD5 9d62f5b5d9eca0a94ba46565918695f0
SHA1 71bfc63978a703ba9f0b18dae7d2ca67018b7fe8
SHA256 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177d
SHA512 a1db284ac814611263fee44d158cffb845bf20f92d993518bafb3dfba8a0de6a9d32c1b6545cf515febe61856225707765c9f9db2ca5476347d1674cff818199

C:\Program Files (x86)\Windows Mail\en-US\services.exe

MD5 5557a83b7eda286c7944d0c1999cfeab
SHA1 6675cb8c01b5782e6a0fc21813323298fabbce8f
SHA256 6d5c296c142be861346e9a6d9a5b0a3f153c44714bbaf0b4b264b5d2c3f1f367
SHA512 00e653c671fd2f6d26d677f4b8363153c7fcb8e60460cf4773f3027464f639b4b51ba3d9e690b23992c3fb64f3626055aa2427843d60e86be0a01471fadce43a

C:\Windows\it-IT\WmiPrvSE.exe

MD5 de0fa3d8acba2adfe721c1a72f67ecd1
SHA1 f81750696efa5aed193a02835255a6021e573a9b
SHA256 787bac419c9d576116b2577a1f649119df41b719bdde5b9f241f3d15e1091aa3
SHA512 2cfa57d2ed8fa04c6040a3617dcd8ca76a039e4e07930fefc14eb974e799db29f8220a31213e02dc996f2e8ba6110a0e9819c7578e2102eedc93e5c004afb24c

C:\Users\Public\Documents\WmiPrvSE.exe

MD5 f857a1d3e5da65672f958cc8379772f3
SHA1 372cad0f26e6241540d00a832b204076f28b04f4
SHA256 6a10259556dceb0f03b4cbe37a25da3f379add7f615b9732ea745e6f1e0f3cd6
SHA512 8eb5b0e662db10d117744502a3a01e03d9a15ed4302003d78f6edda766ddd1721209281e08939166c25141b1b5832b39afffd5c04b46b35c6be243c0673e0c90

C:\MSOCache\All Users\services.exe

MD5 ae358387b4f4f9c7e7700203d42a3ee8
SHA1 860b31853be2a4b62180384dd5e6ec94020fefb7
SHA256 5cab92463fed04f40fb3bf0c976145d1c2951c3e57fc4ad59460781c5c492a13
SHA512 af0ed003f88d31607229195bcdd57ec056eadc7895f1826162e47d37408350d6326171dfafea4abdec1ccef5d856913719f8494482e8aa59e1ee5e5e3fbe7f76

memory/3052-191-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe

MD5 d85af2a620fe30b910735cdfd2501ee0
SHA1 1fbafff90b68d32d71bb5a9bfa760a982b47d250
SHA256 a86bc570ba243a7f0785142d3a58677d73bade6ed9d06feb0e98b67a595c8665
SHA512 d1ac35bbfa43ec8132a3f52e0c248c1c0ba948d8c06759fa3298273d2d8d557d3ab30f39b3c2c6dc50e03d45451898bfd72d16c05b10bb67c637f3d0df0eba07

memory/3052-215-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

memory/1964-226-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 f0e0a1ca5c4f0804c620da074ebbb9ce
SHA1 c732a94c2d8edc30bfaf8361aa633e86cc206d54
SHA256 75e3501a9ce580cabbfb32e9d8f1e2f5ac599f715f95b7877b6e615c3d353e70
SHA512 3a42c85528aefd291077539f99d802dcbd656e3eec347ccadb3b8935d94173bf278ec2143b79de679018b771487a14fd2423619fc107e84e43b913821a8d1251

memory/3052-231-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

memory/604-236-0x0000000000F30000-0x00000000010E6000-memory.dmp

memory/1964-230-0x0000000001F40000-0x0000000001F48000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/604-288-0x0000000000BF0000-0x0000000000C02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e01d0f64-bab7-447d-873d-7113f08c5dcf.vbs

MD5 3f0fd9891fc01792318611f6f093bed4
SHA1 544316e9a26b36a469cc37dd152e0d0ff5726bce
SHA256 52ff85791d96f4050414ee603cc42d6ee2b2281a9f60bd64f03903adad90b322
SHA512 93edc76c9d0f50962d919c4f0aabd87e5cc526fa57ef03b717649e473894510a862736c1a5ec449cec21572c320c910e3671b378723b0b57009f92ba18235a88

C:\Users\Admin\AppData\Local\Temp\d98eaecb-a980-4b9f-af27-4df86f571112.vbs

MD5 f3ffc0d3aebc5d36bca2013d93c5f069
SHA1 795094405ca6fbd80b9fe1fd5154ffff501b5e4a
SHA256 547ee910d434f5935878eacc798c6d1d471c3eb6c625ba4a0bbed41d25e37301
SHA512 e04d2dcc10e5a6f4b5b5e5a6137a3b54814660bb3412cba662ffb8018e2291546b62caa53105ddb456d1502aaa2cd8733d00b1dcc704a75e60f7035d36686644

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 16:10

Reported

2024-12-30 16:12

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\OfficeClickToRun.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\WindowsRE\OfficeClickToRun.exe N/A
N/A N/A C:\Recovery\WindowsRE\OfficeClickToRun.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre-1.8\winlogon.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Program Files\Java\jre-1.8\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\RCX8948.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\RCX89C6.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\winlogon.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\RCX9053.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\RCX90D1.tmp C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\Idle.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\Idle.exe C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Recovery\WindowsRE\OfficeClickToRun.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\WindowsRE\OfficeClickToRun.exe N/A
N/A N/A C:\Recovery\WindowsRE\OfficeClickToRun.exe N/A
N/A N/A C:\Recovery\WindowsRE\OfficeClickToRun.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4524 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\cmd.exe
PID 4524 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe C:\Windows\System32\cmd.exe
PID 3136 wrote to memory of 4164 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3136 wrote to memory of 4164 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3136 wrote to memory of 3280 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\OfficeClickToRun.exe
PID 3136 wrote to memory of 3280 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\OfficeClickToRun.exe
PID 3280 wrote to memory of 4272 N/A C:\Recovery\WindowsRE\OfficeClickToRun.exe C:\Windows\System32\WScript.exe
PID 3280 wrote to memory of 4272 N/A C:\Recovery\WindowsRE\OfficeClickToRun.exe C:\Windows\System32\WScript.exe
PID 3280 wrote to memory of 2544 N/A C:\Recovery\WindowsRE\OfficeClickToRun.exe C:\Windows\System32\WScript.exe
PID 3280 wrote to memory of 2544 N/A C:\Recovery\WindowsRE\OfficeClickToRun.exe C:\Windows\System32\WScript.exe
PID 4272 wrote to memory of 1364 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\OfficeClickToRun.exe
PID 4272 wrote to memory of 1364 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\OfficeClickToRun.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe

"C:\Users\Admin\AppData\Local\Temp\a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177dN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i3nWZXdZXo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\OfficeClickToRun.exe

"C:\Recovery\WindowsRE\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57fffc77-169a-42ae-bfd1-3359079ef332.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5061097-32c1-4490-8f1b-39aab253e705.vbs"

C:\Recovery\WindowsRE\OfficeClickToRun.exe

C:\Recovery\WindowsRE\OfficeClickToRun.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
PL 95.214.53.31:80 95.214.53.31 tcp
US 8.8.8.8:53 31.53.214.95.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4524-0-0x00007FFEC1A63000-0x00007FFEC1A65000-memory.dmp

memory/4524-1-0x0000000000640000-0x00000000007F6000-memory.dmp

memory/4524-2-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

memory/4524-3-0x000000001B500000-0x000000001B51C000-memory.dmp

memory/4524-4-0x000000001BAA0000-0x000000001BAF0000-memory.dmp

memory/4524-6-0x000000001B530000-0x000000001B540000-memory.dmp

memory/4524-5-0x000000001B520000-0x000000001B528000-memory.dmp

memory/4524-8-0x000000001B560000-0x000000001B572000-memory.dmp

memory/4524-7-0x000000001B540000-0x000000001B556000-memory.dmp

memory/4524-9-0x000000001BBF0000-0x000000001BC00000-memory.dmp

memory/4524-10-0x000000001B570000-0x000000001B57C000-memory.dmp

memory/4524-11-0x000000001B580000-0x000000001B588000-memory.dmp

memory/4524-13-0x000000001BC00000-0x000000001BC0C000-memory.dmp

memory/4524-14-0x000000001BE80000-0x000000001BE8C000-memory.dmp

memory/4524-17-0x000000001BE30000-0x000000001BE3C000-memory.dmp

memory/4524-16-0x000000001BE20000-0x000000001BE28000-memory.dmp

memory/4524-15-0x000000001BE10000-0x000000001BE1A000-memory.dmp

memory/4524-18-0x000000001BE40000-0x000000001BE4C000-memory.dmp

memory/4524-21-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

memory/4524-22-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\Idle.exe

MD5 9d62f5b5d9eca0a94ba46565918695f0
SHA1 71bfc63978a703ba9f0b18dae7d2ca67018b7fe8
SHA256 a572d7ac14e164c9eca450da0707237e278e34a55c030977dc0f3c73e3ab177d
SHA512 a1db284ac814611263fee44d158cffb845bf20f92d993518bafb3dfba8a0de6a9d32c1b6545cf515febe61856225707765c9f9db2ca5476347d1674cff818199

C:\Program Files\Java\jre-1.8\winlogon.exe

MD5 3a9bc73020a1a6d0e2766d443c6250d6
SHA1 11c0b2bfa6786c4f362fb7a74c4491cdfbf9f310
SHA256 0df963a043df4e9dd4a316175dbbb313cdfccc20e245bc561759c00ba5e7a352
SHA512 6120d438d570df48cd9f914b0245f61359743144fa4644698cd982b774d06560bc50c2c553cc0d5576dad8a1b86b126b95357ac662b9950d2f90b34c717a815c

C:\Recovery\WindowsRE\fontdrvhost.exe

MD5 4aa38b53d097cfa68c4e74e2e89d2b1f
SHA1 61ebabde3735e88f9cf14670373d2c5117290b5b
SHA256 c1b84af9be473974dbbce2bb5b9b90b6fee3283d23aac2cff15e7c40114aeaf3
SHA512 03785dbd68fb91580995158e9fde490c55623886f98772a1e76266b806c8e863351956fabb18ec3256efd4f5f397160839d0d1c17f3bb088884d3dea958ea69f

C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\Idle.exe

MD5 56a5fef2f8bb53683b570436bd6fc924
SHA1 7d0f2f230492929e25e4b836143fc82f4b4c7098
SHA256 e64251aba080cc985aa755e6bc1ea69f8854776d1c6b65251b6d252a6919b62e
SHA512 994ff86273b0b22d4c0218da4fadcf0c51b7f17551281b08de5741fc0329488bfaae9b7b08b62a472a5a40bdd6875a7536157ec4143282414098d5c63b06c143

memory/2524-102-0x00000197E1AA0000-0x00000197E1AC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rj4c1i2w.k35.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4524-115-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\i3nWZXdZXo.bat

MD5 814d716a5937af1da0fd5e30a5bfded8
SHA1 0b6f3a13d2b5f12741e571d9fe66d356df8dd1b2
SHA256 8636ab48c8c83d3cfff644ef29a97e3f1a81f3d333ce583e4efab3c006ba7f33
SHA512 e05fcd46c97525cf34dc3367172ab5aca18e9e9dca57aba9b3dbbaeeb9210fa3f837af88bdd5138410525c7e79cf25fa93d86b6c6e699202211c0ac6a935be41

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Temp\57fffc77-169a-42ae-bfd1-3359079ef332.vbs

MD5 a002c785c46d2397c33d60b74dde9eb6
SHA1 639a6a8b6fe6d6dd1fe9b213af2fb49047a03285
SHA256 de0dccc6ecd50bd0f17736d1f772b31a2647584189abfe20fd8498e4943f2341
SHA512 445e6bb366f1751e35798e1606ff6d3dc8e97cce7ce358bc51975dac619d4c84e4341c7237c4763a9e501f798b4a432865752b4a99301cd87b9161c0957ccdb8

C:\Users\Admin\AppData\Local\Temp\d5061097-32c1-4490-8f1b-39aab253e705.vbs

MD5 cd414d5b52c887c5034e90b9204badd5
SHA1 8a6e0b10706b3bf4188ea104e4456289f816aa8c
SHA256 6f3f614ede9f19708c9325b48a00a4d37166705ab8219a752bfeb8f543a0e981
SHA512 206f964d39efa9493573941b90af560bdeba132f8f10968204abf01d82d4b53b1a0e59d93e24846d401ce03d1d29bb7b0e74adfbbdb59ecbb5eab69195dbcde4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

MD5 3ad9a5252966a3ab5b1b3222424717be
SHA1 5397522c86c74ddbfb2585b9613c794f4b4c3410
SHA256 27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249
SHA512 b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

memory/1364-236-0x0000000002870000-0x0000000002882000-memory.dmp