Analysis Overview
SHA256
55edcf08f8521a9cddde8570baaac0ab8ef6e640e96c834db0e5c12f5b9c68fe
Threat Level: Known bad
The file archive_60.zip was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Modifies WinLogon for persistence
Xenorat family
Dcrat family
RedLine
Xworm family
RedLine payload
Process spawned unexpected child process
njRAT/Bladabindi
Detect XenoRat Payload
NanoCore
Redline family
Nanocore family
Asyncrat family
Xworm
DcRat
Detect Xworm Payload
DCRat payload
Darkcomet family
Darkcomet
Modifies visiblity of hidden/system files in Explorer
UAC bypass
Njrat family
Async RAT payload
DCRat payload
Modifies Windows Firewall
Sets file to hidden
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Reads WinSCP keys stored on the system
Unsecured Credentials: Credentials In Files
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Modifies system executable filetype association
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Checks whether UAC is enabled
Checks installed software on the system
Drops file in System32 directory
AutoIT Executable
Sets desktop wallpaper using registry
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Uses Volume Shadow Copy WMI provider
Scheduled Task/Job: Scheduled Task
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
Modifies Control Panel
Suspicious use of WriteProcessMemory
outlook_win_path
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Suspicious behavior: CmdExeWriteProcessMemorySpam
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Delays execution with timeout.exe
Modifies registry class
Suspicious use of SetWindowsHookEx
System policy modification
outlook_office_path
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-22 06:18
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Dcrat family
Detect XenoRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Njrat family
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Xenorat family
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win10v2004-20250314-en
Max time kernel
137s
Max time network
146s
Command Line
Signatures
NanoCore
Nanocore family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f27c4963784ed1d311afd03bdfbe000f499b67edd16c4af85d34e547b892ca29.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" | C:\Users\Admin\AppData\Local\Temp\f27c4963784ed1d311afd03bdfbe000f499b67edd16c4af85d34e547b892ca29.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 6004 set thread context of 4648 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f27c4963784ed1d311afd03bdfbe000f499b67edd16c4af85d34e547b892ca29.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f27c4963784ed1d311afd03bdfbe000f499b67edd16c4af85d34e547b892ca29.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f27c4963784ed1d311afd03bdfbe000f499b67edd16c4af85d34e547b892ca29.exe
"C:\Users\Admin\AppData\Local\Temp\f27c4963784ed1d311afd03bdfbe000f499b67edd16c4af85d34e547b892ca29.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DNS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDDC8.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| SE | 91.236.116.142:5888 | tcp | |
| SE | 91.236.116.142:5888 | tcp | |
| SE | 91.236.116.142:5888 | tcp | |
| SE | 91.236.116.142:5888 | tcp |
Files
memory/2948-0-0x0000000074972000-0x0000000074973000-memory.dmp
memory/2948-1-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/2948-2-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/2948-6-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/2948-5-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/2948-7-0x0000000074972000-0x0000000074973000-memory.dmp
memory/2948-8-0x0000000074970000-0x0000000074F21000-memory.dmp
C:\Users\Admin\AppData\Roaming\app.exe
| MD5 | afd1041545455eca8f26e54c24020fc1 |
| SHA1 | 650237d2b8c87c3d7e346b983aaa112d8c477de2 |
| SHA256 | 6a964ccdded7a3837e35a3bfe1d35df00d970ca1a0c5b7d8d7dd0f49683f9873 |
| SHA512 | 7022f0d3f3d25115d66c27a0ede32e240394d219b648248eff56f8495f04efcc416779f81352411826d6ccc083912b4125c345044d987e77134fef29e349aec6 |
memory/2948-30-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/6004-31-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/6004-32-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/6004-33-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/6004-34-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/6004-35-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/4648-37-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4648-39-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/4648-42-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/4648-41-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/6004-40-0x0000000074970000-0x0000000074F21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpDDC8.tmp
| MD5 | d81eb43d26d4511c44151cba2eb45983 |
| SHA1 | 135c98e039c6ab35d4e9564f15f9c56dc9dbeb9a |
| SHA256 | a72a8f6434d6b0fb904db5adc8cab891d12c53b4ac1435dfd13df51f84a2d4d0 |
| SHA512 | b5895c19159d23a8fa312967e47d0855ac6f8f314f8931f54469b0c0079a22e9e00a5eaf6729761f74d54e111454d49813e658243e920a9c3434a5576cdda721 |
memory/4648-47-0x0000000074970000-0x0000000074F21000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:40
Platform
win7-20240903-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| N/A | N/A | C:\MSOCache\All Users\lsass.exe | N/A |
| N/A | N/A | C:\MSOCache\All Users\lsass.exe | N/A |
| N/A | N/A | C:\MSOCache\All Users\lsass.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\OSPPSVC.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\MSBuild\wininit.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\WmiPrvSE.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\Google\RCX11F1.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\Google\RCX1202.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\de-DE\OSPPSVC.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\de-DE\1610b97d3ab4a7 | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\fonts\5940a34987c991 | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\MSBuild\56085415360792 | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\VisualElements\smss.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office14\1033\RCXFDE.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\Google\lsass.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX16F4.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Portable Devices\RCX19D5.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Portable Devices\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\de-DE\OSPPSVC.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\fonts\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office14\1033\RCXFDD.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX16F5.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Portable Devices\RCX1966.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\en-US\RCX1BD8.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\en-US\audiodg.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\f3b6ecef712a24 | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\MSBuild\wininit.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\DVD Maker\en-US\42af1c969fbb7b | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\1033\cc11b995f2a76d | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c5b4cb5e9653cc | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\5940a34987c991 | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\24dbde2999530e | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\fonts\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\VisualElements\69ddcba757bf72 | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\en-US\RCX1C47.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\VisualElements\smss.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\DVD Maker\en-US\audiodg.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\WmiPrvSE.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\Google\6203df4a6bafc7 | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\Google\lsass.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\MSOCache\All Users\lsass.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\MSOCache\All Users\lsass.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\MSOCache\All Users\lsass.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\MSOCache\All Users\lsass.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe
"C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Google\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\en-US\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\en-US\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe
"C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Videos\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Videos\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Videos\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Favorites\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f2e7cee938a991ef6e4a0fcb64efc69af" /sc MINUTE /mo 14 /tr "'C:\Users\Default\NetHood\f2e7cee938a991ef6e4a0fcb64efc69a.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f2e7cee938a991ef6e4a0fcb64efc69a" /sc ONLOGON /tr "'C:\Users\Default\NetHood\f2e7cee938a991ef6e4a0fcb64efc69a.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f2e7cee938a991ef6e4a0fcb64efc69af" /sc MINUTE /mo 8 /tr "'C:\Users\Default\NetHood\f2e7cee938a991ef6e4a0fcb64efc69a.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p7bBo9DGHW.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\lsass.exe
"C:\MSOCache\All Users\lsass.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bb80063-b882-4c22-ae8c-2eac5a3191aa.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee7b0928-6cb0-4b40-a844-92fc7c00faba.vbs"
C:\MSOCache\All Users\lsass.exe
"C:\MSOCache\All Users\lsass.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf21e2d5-bcb9-4358-b6dc-7dd2f336c069.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54a6bc23-daf1-42bf-add4-67f7e643f7a6.vbs"
C:\MSOCache\All Users\lsass.exe
"C:\MSOCache\All Users\lsass.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93bddda3-a851-4548-adbb-e54fec3368d9.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28b4898d-2b8b-4781-beea-5aecf8618bbb.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a1087172.xsph.ru | udp |
| RU | 141.8.197.42:80 | a1087172.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a1087172.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a1087172.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a1087172.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a1087172.xsph.ru | tcp |
Files
memory/1420-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp
memory/1420-1-0x00000000013A0000-0x00000000016EE000-memory.dmp
memory/1420-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/1420-3-0x0000000000200000-0x000000000020E000-memory.dmp
memory/1420-4-0x0000000000410000-0x0000000000418000-memory.dmp
memory/1420-5-0x0000000000420000-0x000000000043C000-memory.dmp
memory/1420-6-0x0000000000440000-0x0000000000448000-memory.dmp
memory/1420-7-0x0000000000450000-0x0000000000460000-memory.dmp
memory/1420-8-0x0000000000460000-0x0000000000476000-memory.dmp
memory/1420-9-0x0000000000480000-0x0000000000488000-memory.dmp
memory/1420-10-0x00000000004A0000-0x00000000004B2000-memory.dmp
memory/1420-11-0x00000000004B0000-0x00000000004C0000-memory.dmp
memory/1420-12-0x0000000000490000-0x000000000049A000-memory.dmp
memory/1420-13-0x0000000000670000-0x00000000006C6000-memory.dmp
memory/1420-14-0x00000000004C0000-0x00000000004CC000-memory.dmp
memory/1420-15-0x0000000000650000-0x0000000000658000-memory.dmp
memory/1420-16-0x0000000000B60000-0x0000000000B6C000-memory.dmp
memory/1420-17-0x0000000000B70000-0x0000000000B78000-memory.dmp
memory/1420-18-0x0000000000B80000-0x0000000000B92000-memory.dmp
memory/1420-19-0x0000000000BB0000-0x0000000000BBC000-memory.dmp
memory/1420-22-0x0000000000BE0000-0x0000000000BEC000-memory.dmp
memory/1420-21-0x0000000000BD0000-0x0000000000BD8000-memory.dmp
memory/1420-23-0x0000000000C70000-0x0000000000C7C000-memory.dmp
memory/1420-20-0x0000000000BC0000-0x0000000000BCC000-memory.dmp
memory/1420-25-0x0000000000C80000-0x0000000000C8C000-memory.dmp
memory/1420-24-0x0000000000C90000-0x0000000000C98000-memory.dmp
memory/1420-26-0x0000000000CA0000-0x0000000000CAA000-memory.dmp
memory/1420-27-0x0000000000CB0000-0x0000000000CBE000-memory.dmp
memory/1420-28-0x0000000000CC0000-0x0000000000CC8000-memory.dmp
memory/1420-29-0x0000000000CD0000-0x0000000000CDE000-memory.dmp
memory/1420-30-0x0000000000CE0000-0x0000000000CE8000-memory.dmp
memory/1420-31-0x0000000000D70000-0x0000000000D7C000-memory.dmp
memory/1420-32-0x0000000000D80000-0x0000000000D88000-memory.dmp
memory/1420-33-0x0000000000D90000-0x0000000000D9A000-memory.dmp
memory/1420-34-0x0000000000DA0000-0x0000000000DAC000-memory.dmp
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe
| MD5 | f2e7cee938a991ef6e4a0fcb64efc69a |
| SHA1 | a256643993c2ad1e86be6209dd3cf457ba6e6865 |
| SHA256 | b874ba54767cb863c42144303d87a6cba7c13b2cb36d10ecc714b226b1732d03 |
| SHA512 | af637f0038ac2afe4ab315c514ceb79540c54c5cd59128a7a1726c022c3846e57fb5d762360b9db5f34605e7134203f058c693edfb8b5d9d07b86dbc346f451b |
C:\Windows\DigitalLocker\en-US\audiodg.exe
| MD5 | 863907d0f7fda834f9082d0934c22dac |
| SHA1 | a5e2203e77aa5cbdf09201860b3cff26f2a4568b |
| SHA256 | 18a9961015876aab7675a541560c2a85319839258d89820c45400c1ae4dd02a5 |
| SHA512 | 1f8169756f23a9ad588dcddc3c5b1c6fb88076b8d0b7fa9d1af826c7b4ae37e0dc9626f287d304bb010e9c58c8ba4c009ff6fd95466ffffe6b8ce2c1b9fa576d |
C:\Users\Public\Favorites\winlogon.exe
| MD5 | 2c87b08b221d16631449432e54c95305 |
| SHA1 | ad9b5c810a74b379394bc255400ac27991452eac |
| SHA256 | 887ba39a85fcfa864cad7d8b7108fa69f8291d37221acd0dc9c9c6fbdd2f4b70 |
| SHA512 | 6102950b9ccef8b27abaa536cbc9c2c324e18cd83207babe8d75fa1dec73d175c87256ef4d20e2ab458a346eaf4c676accb4000cc04453e867413fead13af5dc |
C:\Program Files (x86)\Windows Portable Devices\dllhost.exe
| MD5 | 8a36f9b05ad23066c7fb1e76c495f394 |
| SHA1 | d4bbf265c916707c0fbe20aff60a9a9f9a0659e1 |
| SHA256 | 7ea1358c158f45eaad31ff39486a41ec279363ba9c945263b28334760c6e3297 |
| SHA512 | 4b853dc4254ca965706643449e88b0af4f702bbccd1b8900461b1da99957751529343bae19ea750459c3dbf3b91a29c93a9332be72ed76fb2d55c8392b2dd5fe |
C:\Program Files\DVD Maker\en-US\audiodg.exe
| MD5 | aa4628f95342cef03d4113ee2c06c865 |
| SHA1 | 7dc41782526aa3e564342f4caa1edac40532d5b4 |
| SHA256 | 8d4526bd40e5f3aca6f56066c6a1a959655ab438e13b5840c8b1b5578ca39725 |
| SHA512 | 92ea2e7b194de089c9d0df3b8b6ac4092939962df32b6cfaa53b789e41893e7bb4380a6f8eec2c8bfdb5676940e69417029d4537defc1ee1cd4d61f1afb9d4e9 |
memory/1420-147-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/2468-148-0x0000000000CE0000-0x0000000000CF2000-memory.dmp
memory/2468-149-0x0000000000D80000-0x0000000000DD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\p7bBo9DGHW.bat
| MD5 | d62447c3f0be72f0aac1cf3659b8be86 |
| SHA1 | ba50ebc99731d70ec10438a0564abd338222ce5e |
| SHA256 | 80298bdcb99324f333f16d04f86ad00b5919e955602958d19dcf38fb263b9320 |
| SHA512 | 9508f97bbb516b694371c240a4abd7ea12c6b0690226779f5a06f61c15bd3c086a1f893a3e5737ec963e6a9f71ed45018a084be6a8350fdd753f9ba9b0b781c2 |
memory/2856-229-0x00000000003F0000-0x000000000073E000-memory.dmp
memory/2856-230-0x00000000008C0000-0x00000000008D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4bb80063-b882-4c22-ae8c-2eac5a3191aa.vbs
| MD5 | e97b333b5d218ea2ab81fed74ba149a3 |
| SHA1 | 8722171226bc2d9c8e1ad54249d7f01809e1a726 |
| SHA256 | cf39ef68b1a504d76525cd957c3dca297a3ef99c7f2c949c688eb9a60c6c3bb2 |
| SHA512 | 853aaffe2fde22b8f004d90bd8fc4f5194f0c90cec645f470ca44eed23d930c1fc6a46c566b93a23a7e13985dbc5e566ea0497b0399e6dfc938032ae6b6d853c |
C:\Users\Admin\AppData\Local\Temp\ee7b0928-6cb0-4b40-a844-92fc7c00faba.vbs
| MD5 | 47cfefce6214acf6bc4b601ac68476b8 |
| SHA1 | 23439332ce6aca5e3372cef94230f381d9d5d684 |
| SHA256 | c7ae5085e46b89895e011b0c19048f1b15dda94d29c7f978d4837c241ad9c0a7 |
| SHA512 | a98f095cb9199cee1a050fd9bf576e5ff7f0a57b7e7a9e6637e16862df4792cd57e2e5235153a7cb190f46edaccd0fe04e9591d85d9100efe49293a1112c5a56 |
memory/2176-241-0x0000000001380000-0x00000000016CE000-memory.dmp
memory/2176-242-0x0000000000B20000-0x0000000000B32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cf21e2d5-bcb9-4358-b6dc-7dd2f336c069.vbs
| MD5 | 4d8d7249da9c697b628cf92b91c66b29 |
| SHA1 | 576f36bda8c449681031900e1c3774c0d54660ee |
| SHA256 | 15fb05d88e778b9fa595bb685ccfcd5cadb804717d101edf56310674e9832550 |
| SHA512 | 37c143a75912b8e5206b73afcb075b8a68993633b48fe97a3aa374e0c15f2f095c3b1aff4f77e0c6e7553472c2b35f1ea3ff0a98e0ce87a8b063d252c6bd2d2d |
memory/2248-254-0x0000000000080000-0x00000000003CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\93bddda3-a851-4548-adbb-e54fec3368d9.vbs
| MD5 | c71ad02e3e0f7af1ccb25fd9fa026206 |
| SHA1 | 5f3093dd16fb9af35d834a04b8d0a843aa81d829 |
| SHA256 | 860abeee4f36a20ff7f28b5e4693df3b05c490fe0e8469c5bc00e7ed734f3962 |
| SHA512 | 43d3ff964925659b368c58e5e43094a724f13a181a7d00d99a24c9d2d941751be0de869f90afb609abcedffae8812880f9de555b5490fb2c1411a827cc4b49f5 |
Analysis: behavioral13
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f329b3a2d6b8a4688e82ffe1c491b2ab.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f329b3a2d6b8a4688e82ffe1c491b2ab.exe
"C:\Users\Admin\AppData\Local\Temp\f329b3a2d6b8a4688e82ffe1c491b2ab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/800-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp
memory/800-1-0x00000000010C0000-0x00000000010D6000-memory.dmp
memory/800-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
memory/800-3-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:40
Platform
win7-20240903-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Documents\comPM\cpm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Documents\proDM\pdm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Documents\wpas mngr.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eset\bts.session\d256a299-1646-4585-b509-cf108bcde166\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\proDM\pdm.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\comPM\cpm.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\wpas mngr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eset\bts.session\d256a299-1646-4585-b509-cf108bcde166\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe" | C:\Users\Admin\Documents\wpas mngr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpasmngr = "C:\\Users\\Admin\\Documents\\wpas mngr.exe" | C:\Users\Admin\Documents\comPM\cpm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe" | C:\Users\Admin\AppData\Local\Temp\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe" | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpasmngr = "C:\\Users\\Admin\\Documents\\wpas mngr.exe" | C:\Users\Admin\Documents\wpas mngr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpasmngr = "C:\\Users\\Admin\\Documents\\wpas mngr.exe" | C:\Users\Admin\Documents\proDM\pdm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe" | C:\Users\Admin\Documents\proDM\pdm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe" | C:\Users\Admin\Documents\comPM\cpm.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eset\bts.session\d256a299-1646-4585-b509-cf108bcde166\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\wpas mngr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\comPM\cpm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\proDM\pdm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f35d502490f7522150c06d1bd7ca12e2.exe
"C:\Users\Admin\AppData\Local\Temp\f35d502490f7522150c06d1bd7ca12e2.exe"
C:\Users\Admin\Documents\mwps\mwps.exe
"C:\Users\Admin\Documents\mwps\mwps.exe"
C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe
"C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe"
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\d256a299-1646-4585-b509-cf108bcde166\f35d502490f7522150c06d1bd7ca12e2.exe
"C:\Users\Admin\AppData\Local\Temp\eset\bts.session\d256a299-1646-4585-b509-cf108bcde166\f35d502490f7522150c06d1bd7ca12e2.exe" --bts-container 2276 "C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe"
C:\Users\Admin\Documents\proDM\pdm.exe
"C:\Users\Admin\Documents\proDM\pdm.exe"
C:\Users\Admin\Documents\comPM\cpm.exe
"C:\Users\Admin\Documents\comPM\cpm.exe"
C:\Users\Admin\Documents\wpas mngr.exe
"C:\Users\Admin\Documents\wpas mngr.exe"
Network
Files
memory/2916-0-0x0000000074531000-0x0000000074532000-memory.dmp
memory/2916-1-0x0000000074530000-0x0000000074ADB000-memory.dmp
memory/2916-2-0x0000000074530000-0x0000000074ADB000-memory.dmp
\Users\Admin\Documents\mwps\mwps.exe
| MD5 | 307956cbcc6322cef0760b8bd174e081 |
| SHA1 | 4524c29dc44d0a6af35c3091ff63593558d8e0c1 |
| SHA256 | 32695f53c395ddaea37e5200349c9ad57d65c62fbc652265940ca9168604f5a7 |
| SHA512 | d3b61b9c08321eb9330ef55717bae55188401c89aa9284bea09357639c741e272dc217375dfe4e4be0e37958052a0c697c9aa3e387ec803a1d8b325a56eb737f |
memory/2228-10-0x0000000074530000-0x0000000074ADB000-memory.dmp
memory/2228-12-0x0000000074530000-0x0000000074ADB000-memory.dmp
C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe
| MD5 | e6873bdbb73ff60a4468f6e204cdbaee |
| SHA1 | cb42c4061adfb90257beff9eff4929503e0c1fc5 |
| SHA256 | c74123c90df3ded1f9d091b278cf68ce798bb3c7d99b34a46ac0bdff29374045 |
| SHA512 | 5cefe838d1da8c97b5664efc0c49e9e1652700bd16eb3fc1467bc54c05b2f124393d692df11034373fe496df060125baafdafc237f26be4f13e447f2c7e6cd45 |
memory/2916-17-0x0000000074530000-0x0000000074ADB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\d256a299-1646-4585-b509-cf108bcde166\f35d502490f7522150c06d1bd7ca12e2.exe
| MD5 | 6e6fddaa8ecd3f759230a703dfce6d27 |
| SHA1 | 2ef696bc30d0ba48aa2af5c94787d056557fe21b |
| SHA256 | 3bc0f49207c2589667d540a9ee638daed3f350a4e943de22f135590484fd41e6 |
| SHA512 | cfb112e71e0f1841607f4a73b1bbf4c38170736ecdbde3138927d71f6f584d07f95dfe4b0f066e936af968abcbb9f88eef2db48a0a4b800a6cbb63188c643fca |
\Users\Admin\Documents\proDM\pdm.exe
| MD5 | e21b44a5ba5f2cf25a31600ed5678aa3 |
| SHA1 | d651ad21f565aae56c31fd5efeec2c99424eaf3f |
| SHA256 | a9831f4c9dc19ebd13158fd50c8df20e91b7a2568a142e9598f5e87da87aacd4 |
| SHA512 | bec72a0183fa6987cdcc1f528cd719d25bcb68233b77d3f6a0e4be3eeff084dc78c2e2b727c96e3a32326db358c7dc5359fdc657aa02115bfd7220413c206383 |
C:\Users\Admin\Documents\comPM\cpm.exe
| MD5 | 015b69d2468b0454a04cc80027a65224 |
| SHA1 | 00eea83b7c91f8ea797e238827ccbc403c985f8b |
| SHA256 | ea65623a9e39191c0157c2cf541c397fecad15477c962594ee91033df463bd26 |
| SHA512 | 9f562242a04a5fe9f5b4fe8e1edd2bf1b171b75c834317a74c05621cad0605ca19ad2b3028ae60b72841b982b73fd972609f3c37879a50ba3cf69bf1838ea2b0 |
\Users\Admin\Documents\wpas mngr.exe
| MD5 | e03b00824eb87cdf8a4af0158b9f03b9 |
| SHA1 | 39d5d69b3f4e265e44b414ff98323e7332d4984c |
| SHA256 | 482a1c183b8db36574a67afcaad6057386c594480ac6e9b6fd31af6d19356524 |
| SHA512 | cddecdeabee507dcfdb4846ffb14ab6a95930b97be6bf4630feff1378d2b1386ef6feaeda84bc2b8386e5fea7724c19d95ad3e4c47561dd5e64365e52346cfd1 |
memory/2228-50-0x0000000074530000-0x0000000074ADB000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win7-20241023-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
DcRat
Dcrat family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Windows\\inf\\aspnet_state\\0019\\csrss.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-CA\\Wallpaper\\dwm.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\spoolsv.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\es-ES\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Windows\\inf\\aspnet_state\\0019\\csrss.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-CA\\Wallpaper\\dwm.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\spoolsv.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\es-ES\\System.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\taskhost.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\explorer.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\System.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\OSPPSVC.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\services.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Windows\\inf\\aspnet_state\\0019\\csrss.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-CA\\Wallpaper\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Windows\\inf\\aspnet_state\\0019\\csrss.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-CA\\Wallpaper\\dwm.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Windows\\inf\\aspnet_state\\0019\\csrss.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-CA\\Wallpaper\\dwm.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\spoolsv.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\es-ES\\System.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\taskhost.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\explorer.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Windows\\inf\\aspnet_state\\0019\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Windows\\inf\\aspnet_state\\0019\\csrss.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-CA\\Wallpaper\\dwm.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\spoolsv.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\es-ES\\System.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\taskhost.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Windows\\inf\\aspnet_state\\0019\\csrss.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-CA\\Wallpaper\\dwm.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\spoolsv.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\es-ES\\System.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\taskhost.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Windows\\inf\\aspnet_state\\0019\\csrss.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-CA\\Wallpaper\\dwm.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\spoolsv.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\es-ES\\System.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\taskhost.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\explorer.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\System.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\OSPPSVC.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\services.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Windows\\inf\\aspnet_state\\0019\\csrss.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-CA\\Wallpaper\\dwm.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\spoolsv.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\es-ES\\System.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Windows\\inf\\aspnet_state\\0019\\csrss.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-CA\\Wallpaper\\dwm.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\spoolsv.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\es-ES\\System.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\taskhost.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\explorer.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\System.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\OSPPSVC.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Windows\\inf\\aspnet_state\\0019\\csrss.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-CA\\Wallpaper\\dwm.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\spoolsv.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\es-ES\\System.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\taskhost.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\explorer.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\System.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\OSPPSVC.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Windows\\inf\\aspnet_state\\0019\\csrss.exe\", \"C:\\Windows\\Globalization\\MCT\\MCT-CA\\Wallpaper\\dwm.exe\", \"C:\\Windows\\Temp\\Crashpad\\attachments\\spoolsv.exe\", \"C:\\Program Files\\Microsoft Games\\Chess\\es-ES\\System.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\taskhost.exe\", \"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\explorer.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\System.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\OSPPSVC.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\services.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\lsass.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\taskhost.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft.NET\taskhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\inf\\aspnet_state\\0019\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\My Documents\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\My Documents\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default User\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\OSPPSVC.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Default User\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Microsoft Games\\Chess\\es-ES\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\inf\\aspnet_state\\0019\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Migration\\WTR\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Migration\\WTR\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\OSPPSVC.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Media\\Calligraphy\\OSPPSVC.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Default User\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Globalization\\MCT\\MCT-CA\\Wallpaper\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Mail\\es-ES\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Mail\\es-ES\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Globalization\\MCT\\MCT-CA\\Wallpaper\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Temp\\Crashpad\\attachments\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default User\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Temp\\Crashpad\\attachments\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Microsoft Games\\Chess\\es-ES\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows NT\\TableTextService\\fr-FR\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Journal\it-IT\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\fr-FR\RCXF01C.tmp | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\es-ES\services.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\fr-FR\taskhost.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\it-IT\RCXCF53.tmp | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Chess\es-ES\System.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft.NET\RCXE127.tmp | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\fr-FR\taskhost.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Program Files\Windows Journal\it-IT\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Chess\es-ES\System.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Chess\es-ES\27d1bcfc3c54e0 | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Chess\es-ES\RCXDEB6.tmp | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft.NET\taskhost.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\es-ES\RCXF21F.tmp | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\b75386f1303e64 | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Program Files\Windows Mail\es-ES\services.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Program Files\Windows Mail\es-ES\c5b4cb5e9653cc | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Program Files\Windows Journal\it-IT\cc11b995f2a76d | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\taskhost.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\fr-FR\b75386f1303e64 | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\6cb0b6c459d5d3 | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Windows\schemas\TSWorkSpace\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-deskadp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_08fb31d8a97d61cb\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Windows\inf\aspnet_state\0019\RCXD83D.tmp | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Windows\Migration\WTR\explorer.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Windows\inf\aspnet_state\0019\csrss.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Windows\Media\Calligraphy\RCXD3C8.tmp | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Windows\inf\aspnet_state\0019\886983d96e3d3e | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Windows\Migration\WTR\explorer.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Windows\Migration\WTR\7a0fd90576e088 | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Windows\inf\aspnet_state\0019\csrss.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\dwm.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Windows\Migration\WTR\RCXE59B.tmp | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Windows\Media\Calligraphy\OSPPSVC.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Windows\Media\Calligraphy\1610b97d3ab4a7 | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Windows\schemas\EAPHost\audiodg.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\1610b97d3ab4a7 | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Windows\Media\Calligraphy\OSPPSVC.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\RCXDA41.tmp | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\RCXE9A3.tmp | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\dwm.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft.NET\taskhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft.NET\taskhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1028 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | C:\Program Files (x86)\Microsoft.NET\taskhost.exe |
| PID 1028 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | C:\Program Files (x86)\Microsoft.NET\taskhost.exe |
| PID 1028 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | C:\Program Files (x86)\Microsoft.NET\taskhost.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe
"C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\it-IT\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\it-IT\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\Calligraphy\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Media\Calligraphy\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Calligraphy\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\inf\aspnet_state\0019\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\inf\aspnet_state\0019\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\inf\aspnet_state\0019\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\attachments\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\Crashpad\attachments\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Chess\es-ES\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\es-ES\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Chess\es-ES\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f
C:\Program Files (x86)\Microsoft.NET\taskhost.exe
"C:\Program Files (x86)\Microsoft.NET\taskhost.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 109.107.189.197:80 | tcp | |
| RU | 109.107.189.197:80 | tcp |
Files
memory/1028-0-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp
memory/1028-1-0x0000000000920000-0x0000000000A4C000-memory.dmp
memory/1028-2-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp
memory/1028-4-0x00000000001C0000-0x00000000001D0000-memory.dmp
memory/1028-3-0x00000000003D0000-0x00000000003EC000-memory.dmp
memory/1028-6-0x00000000003F0000-0x0000000000402000-memory.dmp
memory/1028-8-0x00000000004B0000-0x00000000004BC000-memory.dmp
memory/1028-9-0x00000000004D0000-0x00000000004E2000-memory.dmp
memory/1028-7-0x00000000004C0000-0x00000000004D0000-memory.dmp
memory/1028-12-0x00000000022E0000-0x00000000022EC000-memory.dmp
memory/1028-11-0x00000000020C0000-0x00000000020CE000-memory.dmp
memory/1028-10-0x0000000000500000-0x0000000000508000-memory.dmp
memory/1028-5-0x0000000000480000-0x0000000000496000-memory.dmp
C:\Windows\Media\Calligraphy\OSPPSVC.exe
| MD5 | f3873b73a0b2ef5c54ba8ed8a571bc14 |
| SHA1 | 404a503b0a98f21c4adc006ebd7a51466aa1e52d |
| SHA256 | e38968cd849bfac11b8dc61f6945e406dc8fefed82db482d87579b61649cd08f |
| SHA512 | 02f343a965daa821e8f14fda3cc296beb8dac814b6618c20506c5afd9625c8108f868463b9318ace1c6e5600abecf1236751846794879bc465c08e3dfa22515a |
memory/1028-112-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp
C:\Program Files\Microsoft Games\Chess\es-ES\System.exe
| MD5 | 91e906aaf39dc7f3051fb282d67e00b7 |
| SHA1 | 565d394d6a5dd0d4f2b0adac0b28135135f403cc |
| SHA256 | da864210380d84e129180a04f47555768a908f5512ccfb5d983cb30e5322ef11 |
| SHA512 | e4649408aee595a8cd20336c0e57137654c1087410fc006a4706888bd7d21cf52ddc6a534bca226ab63aa5dbeebfa753da1253ce48aeee9abd6d8a1fa2462a0c |
memory/1028-126-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\sppsvc.exe
| MD5 | 8464a8ea3ea56ee5013ac39a676336d8 |
| SHA1 | f12d414cc94f5a23369c86b3553b477a41aab4f2 |
| SHA256 | 061a62f9ff927347b65f26563a33b5c90e325797751e144a7e218af7a2068781 |
| SHA512 | 27f115a4d63758f73dcedbade1d5ce4c5abd4b68fee4a779b04ae4f54671ecf7c179f879ba586e65d4bc233a4c4e7cd46f074ba2a00f0f3449e820788d3f2574 |
memory/2708-188-0x0000000000B30000-0x0000000000C5C000-memory.dmp
memory/1028-189-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp
memory/2708-190-0x00000000004A0000-0x00000000004B2000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win10v2004-20250313-en
Max time kernel
106s
Max time network
140s
Command Line
Signatures
DcRat
Dcrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Recovery\WindowsRE\f26d7a764816fad6183d06a6fc996857.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Documents and Settings\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\termsrv\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\ebea8a0c5b7ebb8dc5b60da7\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\updates\\0\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f26d7a764816fad6183d06a6fc996857 = "\"C:\\Recovery\\WindowsRE\\f26d7a764816fad6183d06a6fc996857.exe\"" | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\KBDMONMO\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\termsrv\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File created | C:\Windows\System32\termsrv\5b884080fd4f94 | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File opened for modification | C:\Windows\System32\KBDMONMO\RCX8821.tmp | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File opened for modification | C:\Windows\System32\KBDMONMO\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File opened for modification | C:\Windows\System32\termsrv\RCX8E9C.tmp | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File opened for modification | C:\Windows\System32\termsrv\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File created | C:\Windows\System32\KBDMONMO\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File created | C:\Windows\System32\KBDMONMO\5b884080fd4f94 | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\55b276f4edf653 | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\RCX81F3.tmp | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Recovery\WindowsRE\f26d7a764816fad6183d06a6fc996857.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1964 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | C:\Windows\System32\cmd.exe |
| PID 1964 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | C:\Windows\System32\cmd.exe |
| PID 2268 wrote to memory of 3496 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\w32tm.exe |
| PID 2268 wrote to memory of 3496 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\w32tm.exe |
| PID 2268 wrote to memory of 1408 | N/A | C:\Windows\System32\cmd.exe | C:\Recovery\WindowsRE\f26d7a764816fad6183d06a6fc996857.exe |
| PID 2268 wrote to memory of 1408 | N/A | C:\Windows\System32\cmd.exe | C:\Recovery\WindowsRE\f26d7a764816fad6183d06a6fc996857.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe
"C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\updates\0\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f26d7a764816fad6183d06a6fc996857" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\f26d7a764816fad6183d06a6fc996857.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDMONMO\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Documents and Settings\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\termsrv\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UWTsAvnYB.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\f26d7a764816fad6183d06a6fc996857.exe
"C:\Recovery\WindowsRE\f26d7a764816fad6183d06a6fc996857.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| RU | 62.113.118.176:80 | tcp | |
| RU | 62.113.118.176:80 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/1964-0-0x00007FFE95723000-0x00007FFE95725000-memory.dmp
memory/1964-1-0x00000000004C0000-0x00000000005BC000-memory.dmp
memory/1964-2-0x00007FFE95720000-0x00007FFE961E1000-memory.dmp
memory/1964-3-0x00000000027F0000-0x000000000280C000-memory.dmp
memory/1964-9-0x0000000002830000-0x000000000283C000-memory.dmp
memory/1964-10-0x0000000002840000-0x0000000002852000-memory.dmp
memory/1964-8-0x0000000002850000-0x0000000002860000-memory.dmp
memory/1964-12-0x0000000002880000-0x000000000288C000-memory.dmp
memory/1964-11-0x000000001BFD0000-0x000000001C4F8000-memory.dmp
C:\Windows\System32\KBDMONMO\fontdrvhost.exe
| MD5 | f26d7a764816fad6183d06a6fc996857 |
| SHA1 | ab68307f5b1f1fbe0c99fcbed2b6d6ee3f596409 |
| SHA256 | dd6f503f280cc68627a4ef5082596457d1e608d0aef4a7f0d33e0640e520b81e |
| SHA512 | d3b46e095ceb3cd56975c27708726d6d07a96c7c58aa3273630bfac596608eb868061655177140aef74e71728cd51427a91a9a36fbb4d4cbb2f1fc3c6c50ddfe |
memory/1964-7-0x0000000002820000-0x0000000002828000-memory.dmp
memory/1964-6-0x0000000000EF0000-0x0000000000F00000-memory.dmp
memory/1964-5-0x0000000000E70000-0x0000000000E80000-memory.dmp
memory/1964-4-0x000000001B780000-0x000000001B7D0000-memory.dmp
memory/1964-91-0x00007FFE95720000-0x00007FFE961E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8UWTsAvnYB.bat
| MD5 | c95e0d61725d851f379e434ba21faf03 |
| SHA1 | aaed4fa39b5e39cc580c4f3fa59f9560da222624 |
| SHA256 | b017b9738b55aca533ca8cf795d5160aea70a777987dd695d20b663db032bf4f |
| SHA512 | 2332dcc1f0a9e54b55f2d3c555c2726d4440b7a599e2dd0327126b9e3186f84b85c2b747319330f8a2c11ea3bdc367741b29fcb7a7bb3b35274a6ffbbacf1099 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f26d7a764816fad6183d06a6fc996857.exe.log
| MD5 | bbb951a34b516b66451218a3ec3b0ae1 |
| SHA1 | 7393835a2476ae655916e0a9687eeaba3ee876e9 |
| SHA256 | eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a |
| SHA512 | 63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f |
memory/1408-96-0x000000001B9A0000-0x000000001B9B2000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win7-20241010-en
Max time kernel
10s
Max time network
19s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2580 wrote to memory of 1652 | N/A | C:\Users\Admin\AppData\Local\Temp\f2fe22a9b88a7181ef0a17fcbafba04ca86ac230251f2c02b3a2122056f7b8f7.exe | C:\Windows\system32\WerFault.exe |
| PID 2580 wrote to memory of 1652 | N/A | C:\Users\Admin\AppData\Local\Temp\f2fe22a9b88a7181ef0a17fcbafba04ca86ac230251f2c02b3a2122056f7b8f7.exe | C:\Windows\system32\WerFault.exe |
| PID 2580 wrote to memory of 1652 | N/A | C:\Users\Admin\AppData\Local\Temp\f2fe22a9b88a7181ef0a17fcbafba04ca86ac230251f2c02b3a2122056f7b8f7.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f2fe22a9b88a7181ef0a17fcbafba04ca86ac230251f2c02b3a2122056f7b8f7.exe
"C:\Users\Admin\AppData\Local\Temp\f2fe22a9b88a7181ef0a17fcbafba04ca86ac230251f2c02b3a2122056f7b8f7.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2580 -s 536
Network
Files
memory/2580-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp
memory/2580-1-0x0000000000970000-0x0000000000998000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:40
Platform
win7-20240903-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\explorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\explorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\explorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\explorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\explorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\explorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\explorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\explorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\explorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\explorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\explorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\explorer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\explorer.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
"C:\Users\Admin\AppData\Local\Temp\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1f" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\ShellBrd\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1f" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\ShellBrd\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Public\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Downloads\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Downloads\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\OSPPSVC.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\WmiPrvSE.exe'
C:\Program Files (x86)\Internet Explorer\explorer.exe
"C:\Program Files (x86)\Internet Explorer\explorer.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c41c51d-272e-49a5-bbc4-bbf43635a4d6.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\200b6a56-0233-43b7-a356-5ce94b8a5f9d.vbs"
C:\Program Files (x86)\Internet Explorer\explorer.exe
"C:\Program Files (x86)\Internet Explorer\explorer.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0a1ad23-8a4d-4335-962c-4d85705221ce.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0137eebe-eaae-4f02-a9d9-e279c1804788.vbs"
C:\Program Files (x86)\Internet Explorer\explorer.exe
"C:\Program Files (x86)\Internet Explorer\explorer.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d589361a-490f-483a-979a-2c33ba49d8b7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8125a130-3fa6-40d8-97e3-a77bebd59555.vbs"
C:\Program Files (x86)\Internet Explorer\explorer.exe
"C:\Program Files (x86)\Internet Explorer\explorer.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9d7bef1-d972-442c-a934-640ce602ce39.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99ff5dd9-823a-40ec-a146-573515bca16f.vbs"
C:\Program Files (x86)\Internet Explorer\explorer.exe
"C:\Program Files (x86)\Internet Explorer\explorer.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8632b13f-b9e5-4740-bf8d-b9ccf0e68900.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03fb21f6-b227-48b2-84e3-811a93d9d657.vbs"
C:\Program Files (x86)\Internet Explorer\explorer.exe
"C:\Program Files (x86)\Internet Explorer\explorer.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55212f8d-a58d-48ee-b1ed-4949d828bcd7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8c756bc-b10a-4b6a-8804-02a4deee2547.vbs"
C:\Program Files (x86)\Internet Explorer\explorer.exe
"C:\Program Files (x86)\Internet Explorer\explorer.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b6f9168-d841-4cfd-8720-a7fe379a7515.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50cace04-3c36-4598-acee-bb021126e9ea.vbs"
C:\Program Files (x86)\Internet Explorer\explorer.exe
"C:\Program Files (x86)\Internet Explorer\explorer.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e17cdd1-9bda-45b4-a81c-b0f3e28efb6b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b6d014-c212-4d50-901b-cdafb3e01347.vbs"
C:\Program Files (x86)\Internet Explorer\explorer.exe
"C:\Program Files (x86)\Internet Explorer\explorer.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26fd3061-a179-431a-8b92-a43944df22f5.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01a87e1a-255d-46f5-baeb-062f8eaf3dac.vbs"
C:\Program Files (x86)\Internet Explorer\explorer.exe
"C:\Program Files (x86)\Internet Explorer\explorer.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b2103ca-ab36-4d78-84e6-a2857e3ad1b7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bba3dc98-1788-4c9e-8eff-b19291e1ed81.vbs"
C:\Program Files (x86)\Internet Explorer\explorer.exe
"C:\Program Files (x86)\Internet Explorer\explorer.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b241a7f3-a31e-420e-bf18-5e9cb2db68af.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56cc43f7-e39f-4d54-89cc-b95be123ac95.vbs"
C:\Program Files (x86)\Internet Explorer\explorer.exe
"C:\Program Files (x86)\Internet Explorer\explorer.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fb3c30f-c636-4904-a035-8dd77f2105f0.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\830bf09b-2bf6-464a-a4e3-1cb21109214d.vbs"
C:\Program Files (x86)\Internet Explorer\explorer.exe
"C:\Program Files (x86)\Internet Explorer\explorer.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1846a0f8-4e0d-40a5-a25d-25f27673e63f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b762ac7-1b20-45c3-b881-e64504b92cac.vbs"
Network
| Country | Destination | Domain | Proto |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
Files
memory/2752-0-0x000007FEF6623000-0x000007FEF6624000-memory.dmp
memory/2752-1-0x00000000009C0000-0x0000000000B62000-memory.dmp
memory/2752-2-0x000007FEF6620000-0x000007FEF700C000-memory.dmp
memory/2752-4-0x00000000003F0000-0x0000000000400000-memory.dmp
memory/2752-7-0x0000000002020000-0x0000000002030000-memory.dmp
memory/2752-10-0x00000000021D0000-0x00000000021DC000-memory.dmp
memory/2752-9-0x00000000020B0000-0x00000000020BC000-memory.dmp
memory/2752-16-0x000000001A7C0000-0x000000001A7CC000-memory.dmp
memory/2752-15-0x000000001A7B0000-0x000000001A7BA000-memory.dmp
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
| MD5 | e9a05151dfc1c4c2e84f16e25d05f6ee |
| SHA1 | 4bced15dc17ebf0e95cb34558e093446d394b235 |
| SHA256 | f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1 |
| SHA512 | 6bd1a48e3d6a6a76b115bb6b6dddb95c5a39a890ca285f8d9470a6857d73c761225271ea513b1762641b373aa737b845261e0098e94ea8552ddd04226be804af |
memory/2752-14-0x000000001A7A0000-0x000000001A7A8000-memory.dmp
memory/2752-13-0x000000001A790000-0x000000001A798000-memory.dmp
memory/2752-12-0x000000001A780000-0x000000001A78E000-memory.dmp
memory/2752-11-0x000000001A770000-0x000000001A77A000-memory.dmp
memory/2752-8-0x0000000002010000-0x0000000002018000-memory.dmp
memory/2752-6-0x00000000009B0000-0x00000000009B8000-memory.dmp
memory/2752-5-0x0000000001FF0000-0x0000000002006000-memory.dmp
memory/2752-3-0x00000000003D0000-0x00000000003EC000-memory.dmp
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe
| MD5 | 420ae8a6b309ba492304463c9fa57ba8 |
| SHA1 | ffeb9451b71bef3fc6d7760117551238a4510b9b |
| SHA256 | 028982fca887a0aa235ed3263a908fe8f9def43c4fd35add1bbdb60cf1754560 |
| SHA512 | 6778c64aa33de6f2500f313e5c4987143a5061765dab93bceb901e9235f58acd056e63aa7b18dfde5838af25fda9b5e5066cebe3e3ba83cf22e2bd6b9e7e8c72 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
| MD5 | 65fbb2f96c55a5005c50509d1fb66924 |
| SHA1 | 08dc85ebb987a04cba15925bdc136bd93d5a2dbc |
| SHA256 | c8bee22d01fed0635f1b67cb8e29e757ba802dc92656cd0e4db8d57f423605eb |
| SHA512 | bc5fc84f08c17a578e8eb2a87d4179124c657dedb2248b576581da50713452fc26189002de73ebf32adb2097cb4990f2965db5881bbf209466a324bec5ed96de |
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe
| MD5 | 0066f8a171f74cf95eda221a0f6d5f92 |
| SHA1 | 9d0fdfbd25008ba1c95a4046038e3fb0fbd87975 |
| SHA256 | 5cb7ca259219356c4ce4089c774af2f3fe005f000d11ff245a869bb449ca2770 |
| SHA512 | 554a203555f28dfba33d899b2f769b5aef11a59e562c839737e94ca0b6a2ebcd3cc47a2fce59e7be27eebe580b8c34b2a4a20a388db7cccaff9bb65bf81e721a |
memory/2752-220-0x000007FEF6623000-0x000007FEF6624000-memory.dmp
memory/2752-235-0x000007FEF6620000-0x000007FEF700C000-memory.dmp
C:\Program Files\Uninstall Information\WmiPrvSE.exe
| MD5 | 799686b8afbb3bdd23a22aa73fdc19fd |
| SHA1 | 3453b63457ba1c3aee7cc6f561711e855f5a9068 |
| SHA256 | a5e9e2a4c4d3fa7a927dcbcaca047b6f025c55119d3393dad829248f9b4af52c |
| SHA512 | d91485f32cd2f5bdbf93de775998d2ad0a3e6e4f40c364e30458634db1d84fd207bac9e594c5ea010e9bd5cc0b7627a46f50b6c1bb1e6cb7570ae4fc2f824f21 |
memory/2752-259-0x000007FEF6620000-0x000007FEF700C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | b83430ec19d54d0b28e30b9551021e26 |
| SHA1 | 1bcb4abffbc1087c0713dfec7dc4388a70899da1 |
| SHA256 | 89506aa43951434ddaf1e86a19701c524b487ec3bafd47d092c93d9972992bb3 |
| SHA512 | 44e4f6e8133a2ee8dfab2788fc636d6c66da29b2485878bce63e499e06a0050506e0246ca16aadcae279e5110e1d7e6705af5b69fae8afcaf0e0f99754cfea31 |
memory/1736-265-0x0000000002220000-0x0000000002228000-memory.dmp
memory/2952-264-0x0000000000C50000-0x0000000000DF2000-memory.dmp
memory/1736-263-0x000000001B600000-0x000000001B8E2000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\200b6a56-0233-43b7-a356-5ce94b8a5f9d.vbs
| MD5 | 5951b9b0e809f9dc9e51b19cf66abb72 |
| SHA1 | 7801eb10ed8cfb8a21d37497bae59d910306998e |
| SHA256 | 881d92f73623db92ef460bb61ffe2b37525714a860397dc70b8d98719e4ab4c2 |
| SHA512 | e2764f0d640dad60ed56bf9611ae012d77df0992155182a61beaee0879073dea1f521ce5a79384c2f3a72e4a0215325907281f4597893618b8624e83be57676e |
C:\Users\Admin\AppData\Local\Temp\8c41c51d-272e-49a5-bbc4-bbf43635a4d6.vbs
| MD5 | 54b4793f5066374a29d8a5ea1fb06ab9 |
| SHA1 | 0c268681a27fc3bfe040995ee03031fa5112bf45 |
| SHA256 | 0a17f65f7fc1771ed5038179f8781aadc0d716ed7dc3cc73e9d23885204b9d39 |
| SHA512 | 4cd5f682beddf8f626436e64ade43bc580fc4c8cad69a5b4c65a1b361f6a6c38b45a42c063d2fdc84f2850673b8fbdbe562c5ac7db07c3719f9fe3135c4c7ff3 |
C:\Users\Admin\AppData\Local\Temp\f0a1ad23-8a4d-4335-962c-4d85705221ce.vbs
| MD5 | 783a3f1be9e1c9798d58bcffd8b612b2 |
| SHA1 | 07c97a57482f615f6b0985f63608e0e9b0bc0d9f |
| SHA256 | d809aa92ea59b58daecaea64906efe842add31d9bd93cc7822ac72568f816fdd |
| SHA512 | f99d6846fa9d26be3f99a0599a7a2bd5f3a43eb9d962ddbf352e8f5ef265bf74ebbe4dc1fe7c8d26daa87880e338816c7e0dc8ce1736ef542dc94cdf6c5cb454 |
memory/940-376-0x0000000000FF0000-0x0000000001192000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d589361a-490f-483a-979a-2c33ba49d8b7.vbs
| MD5 | bd3fda20d1995d9a24ee77177ed99660 |
| SHA1 | f3edfdfb72264ce0063dea510a30de61a6d6e937 |
| SHA256 | 39751dd96b7a6fa7255ada843db837f610d2ee35662270235e9b5a741366f2de |
| SHA512 | 0a5e92956df951b2d619353af9b6f46781bc24a5debdd2ae6b68694cb561fec2fb27d5a4c5a1abdbc3f35e584cef41ed1cddc0cbf2490e7397da5c9f78c407ca |
memory/2092-388-0x00000000003E0000-0x0000000000582000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d9d7bef1-d972-442c-a934-640ce602ce39.vbs
| MD5 | 7af1041d5ad239077e884a6a4bac471e |
| SHA1 | 7ff0f8fc143f9b7cddd1379961bd297a76fb75cf |
| SHA256 | 4addb67f572af99b7ac2a5fa962fbe3e69884dfcbca340f0d00d044faa95660c |
| SHA512 | d48e82b635fbe8bca41acb63e924d1374d158cf8953838b6ea0b9475d93801d26afd6e1a74700dcafe1c50e6e8d5e0f7c5cdeed6d4a9bc906808f23664ecab5c |
memory/1788-400-0x0000000000F10000-0x00000000010B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8632b13f-b9e5-4740-bf8d-b9ccf0e68900.vbs
| MD5 | ee301ac24842c08ce6e637a2471096f3 |
| SHA1 | 587e0ed3eece40b86240c6770b4ba1d66712c605 |
| SHA256 | 6c7b041e386dd4f50c183d57cefab6a785ce761d783d1d61a9506df17e217d3a |
| SHA512 | d65bef5694554c5b6950b46c3333b2123d7b94b12f4c40dfc3659a5dcb5a2c9cdcf043442b59d247734f251ff5b22fda87a5406a74e539ec9fd1c06fc25f57ec |
C:\Users\Admin\AppData\Local\Temp\55212f8d-a58d-48ee-b1ed-4949d828bcd7.vbs
| MD5 | ed85718fdf0f0b33a0a2d182713f842b |
| SHA1 | cf749a12e6653e4f4abf958e9370acf4294d0c40 |
| SHA256 | 5499d62658e7d64dc62634ebef3d052875c02402a38d7d4386ae0e2a9b7c5daa |
| SHA512 | 6adb598c208c65021357ee618c34a42c06fd81237a40e5180893264659dacf297ab8acc82970a8ad85b9741509fb2e86ede128f19add7cb3ac2aa5adb245c93d |
C:\Users\Admin\AppData\Local\Temp\4b6f9168-d841-4cfd-8720-a7fe379a7515.vbs
| MD5 | e9662373e9f298b11d9a470d810e8a56 |
| SHA1 | e831f392d9d38b84bbcaf0bfa29a33a08be40386 |
| SHA256 | 52eeee3303455b0739a25f303764adf8882ad416e9e8d850bee19692986752b6 |
| SHA512 | afff8b7427e8c92f4d987eeac1762466f96b3d6aa75fe922f28a2d73fabfd612dabd63ec38d2da167c33b0d580d5575072126c59e097358b830f78aa2f753c38 |
C:\Users\Admin\AppData\Local\Temp\9e17cdd1-9bda-45b4-a81c-b0f3e28efb6b.vbs
| MD5 | db4ec2fe777f433687cd2e79f772790e |
| SHA1 | a075359840b2ecc01a39f83a1e3194e0bf3adc69 |
| SHA256 | 11b43cfab12984adc961b1c7dc9c9849539587b4e5ee5a1b29dd74f8d623fc8f |
| SHA512 | 8b6f7872f19e6ecbba50c52be080c7e8e5fab24a178c66735191d2bbbbbf4f2641b1a1f74c9eec1894815e4ae22357749d89d5ac2c25cc4d54a833d1dc3e42ef |
memory/952-445-0x00000000003D0000-0x0000000000572000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\26fd3061-a179-431a-8b92-a43944df22f5.vbs
| MD5 | 0ffe411c9b26e225b883ef64993318ba |
| SHA1 | fd948466b66b6cbe81d6076281c5546232d5d863 |
| SHA256 | 9e0ef36d2c5aed2fd9e5048a33bd74b461d4f50569ac5a6e34d228d3181e566a |
| SHA512 | 1bebe48e5b833716aa95bb3b2433845bf653311a86e74c93a8493f9870c9e952c0edb6dd8e8290fdea8081c91cd5f1ac344016d23f7b5f8088e03c0ab97e4367 |
memory/2008-457-0x00000000012D0000-0x0000000001472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8b2103ca-ab36-4d78-84e6-a2857e3ad1b7.vbs
| MD5 | 898471d752fa946b7c863fd5da12dee2 |
| SHA1 | 7d38e2ea23a12e1a3ec00fc33c38b7adfefe5acf |
| SHA256 | 753d4458fa907a72a50267461d13c003115f79d906898496b53043e43aa7fe9e |
| SHA512 | 8e1be42e1a8dc9a1333772d803c22937f3e311317f625d470ade8e44cdbc5445ed18923fe763b386d10087f9acdcb01b7774b53e3c2550722a5a7f888be9a5a7 |
C:\Users\Admin\AppData\Local\Temp\b241a7f3-a31e-420e-bf18-5e9cb2db68af.vbs
| MD5 | 0d99707727af6480e52572de3c6c741a |
| SHA1 | b25740c4ca91b5a3caff1cd001655fbe6947a107 |
| SHA256 | f832db96c180097b5930cbfe5519cb224a64e083c3077bfcc2a71327116bb0c7 |
| SHA512 | 476598457ea62e07f7de12741f5d6ce7b77b99e5a2c72c7c5441b25e17603a98c229c433a6c2757e8eebf82c8eeb68ea42861591ce11c99d6cd8ba446aceda2d |
memory/1708-480-0x0000000001370000-0x0000000001512000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win7-20240903-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\AuditNativeSnapIn\sppsvc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\cmpbk32\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\onexui\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\AuditNativeSnapIn\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\AuditNativeSnapIn\sppsvc.exe | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File created | C:\Windows\System32\cmpbk32\lsass.exe | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File created | C:\Windows\System32\cmpbk32\6203df4a6bafc7 | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File created | C:\Windows\System32\onexui\csrss.exe | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File opened for modification | C:\Windows\System32\AuditNativeSnapIn\RCXEACD.tmp | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File opened for modification | C:\Windows\System32\cmpbk32\RCXECD1.tmp | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File opened for modification | C:\Windows\System32\cmpbk32\lsass.exe | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File opened for modification | C:\Windows\System32\AuditNativeSnapIn\sppsvc.exe | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File created | C:\Windows\System32\AuditNativeSnapIn\0a1fd5f707cd16 | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File created | C:\Windows\System32\onexui\886983d96e3d3e | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File opened for modification | C:\Windows\System32\onexui\RCXEED5.tmp | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| File opened for modification | C:\Windows\System32\onexui\csrss.exe | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\AuditNativeSnapIn\sppsvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\AuditNativeSnapIn\sppsvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe
"C:\Users\Admin\AppData\Local\Temp\f26d7a764816fad6183d06a6fc996857.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\AuditNativeSnapIn\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\cmpbk32\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\onexui\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cCgr87D50L.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\AuditNativeSnapIn\sppsvc.exe
"C:\Windows\System32\AuditNativeSnapIn\sppsvc.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 62.113.118.176:80 | tcp | |
| RU | 62.113.118.176:80 | tcp |
Files
memory/2080-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp
memory/2080-1-0x0000000000980000-0x0000000000A7C000-memory.dmp
memory/2080-2-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp
memory/2080-3-0x0000000000440000-0x000000000045C000-memory.dmp
memory/2080-7-0x0000000000610000-0x0000000000620000-memory.dmp
memory/2080-8-0x0000000000620000-0x000000000062C000-memory.dmp
memory/2080-6-0x0000000000600000-0x0000000000608000-memory.dmp
memory/2080-9-0x0000000000840000-0x0000000000852000-memory.dmp
memory/2080-10-0x0000000000870000-0x000000000087C000-memory.dmp
memory/2080-5-0x00000000005F0000-0x0000000000600000-memory.dmp
memory/2080-4-0x00000000005E0000-0x00000000005F0000-memory.dmp
C:\Windows\System32\AuditNativeSnapIn\sppsvc.exe
| MD5 | f26d7a764816fad6183d06a6fc996857 |
| SHA1 | ab68307f5b1f1fbe0c99fcbed2b6d6ee3f596409 |
| SHA256 | dd6f503f280cc68627a4ef5082596457d1e608d0aef4a7f0d33e0640e520b81e |
| SHA512 | d3b46e095ceb3cd56975c27708726d6d07a96c7c58aa3273630bfac596608eb868061655177140aef74e71728cd51427a91a9a36fbb4d4cbb2f1fc3c6c50ddfe |
memory/2080-44-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cCgr87D50L.bat
| MD5 | 05e1a1500b0c9d9290b69f5a98eac7cb |
| SHA1 | 34a37498bac1a4bcf4d2d68f27b596ae86c2484a |
| SHA256 | a00891bb7d323a4a19c9c11dc2a1a2ac2ec965bebd62f11a41647412098185ef |
| SHA512 | 5ce7ab04ccfd9670305c726923435ba4bfac508779cea7dbad7b46b6cb2762358ab2a26d5404248e266e48fabf0bee5b567ccf90af9a91633b56a69e3c3c912c |
memory/2140-48-0x00000000011A0000-0x000000000129C000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:40
Platform
win10v2004-20250314-en
Max time kernel
103s
Max time network
142s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\f2fe22a9b88a7181ef0a17fcbafba04ca86ac230251f2c02b3a2122056f7b8f7.exe
"C:\Users\Admin\AppData\Local\Temp\f2fe22a9b88a7181ef0a17fcbafba04ca86ac230251f2c02b3a2122056f7b8f7.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/3340-0-0x00007FFFF41D3000-0x00007FFFF41D5000-memory.dmp
memory/3340-1-0x0000000000C70000-0x0000000000C98000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:40
Platform
win10v2004-20250314-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
DcRat
Dcrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings | C:\f9532e701a889cdd91b8\RuntimeBroker.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
"C:\Users\Admin\AppData\Local\Temp\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\debug\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\aff403968f1bfcc42131676322798b50\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\f9532e701a889cdd91b8\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\f9532e701a889cdd91b8\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4512_1294531004\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4512_1294531004\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4512_1294531004\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\f9532e701a889cdd91b8\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\f9532e701a889cdd91b8\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\TextInputHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4512_1294531004\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\taskhostw.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
"C:\f9532e701a889cdd91b8\RuntimeBroker.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd6ef14e-444e-41fa-8cdb-2afd3974f32b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb798b49-b016-4c9d-9684-1b318289344b.vbs"
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea2bcf2c-42de-481b-ba68-dab13f48d099.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\188bfe50-45f6-491a-90bf-5893506ad102.vbs"
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e56d159-9ba5-4529-9ace-ef93dadf5bc9.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bccace8-fe47-4383-8ac9-9e32f6c72b8d.vbs"
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80af5370-3e97-42f3-ab5a-dbaa729360b7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8d7eb8d-4ecb-4185-a13e-f60ba11cdc21.vbs"
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53c3f99b-c2f4-45d5-834b-0df2ee43f0aa.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc12ef0c-40e0-4104-a995-7709b7f39716.vbs"
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\433587aa-aee6-45bb-ad29-1430cfdc9e0a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\720b21ba-8fe6-43f5-a0ca-d64e6120f138.vbs"
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c694ebd2-8d37-4c7a-9a48-439b145cd78a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d6ab9ee-574b-48b5-aa07-0b8d07635ed0.vbs"
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36986f5d-8e90-431a-9429-a6619807d468.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29c2508a-073f-42a4-abc1-0763f39707e3.vbs"
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bef0f73b-26fe-46f1-9c8b-3f72259cc06e.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97e3ff64-33fa-41bd-91ef-bd85edc9ef41.vbs"
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98beb925-0032-47d2-b155-33386f613026.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd722bcb-0f00-44c0-92fe-913ebad29efe.vbs"
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd78be60-0762-459c-8067-6abe9fc703bf.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\508c32be-fdcc-42dc-a83f-ed5df7f59ca2.vbs"
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65df6e56-8b5f-4698-8d05-383f052bf21f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58667d0d-ce51-4231-958b-a865aa403400.vbs"
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\032a9240-ac34-46cd-bc5d-ff1b887b9818.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bac4d3bf-b671-40ab-a702-24a763413a2c.vbs"
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\f9532e701a889cdd91b8\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5091f144-858a-4a5e-be07-b36e1b9bce95.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d535cbdb-4f73-439d-b492-093360f4ff15.vbs"
Network
| Country | Destination | Domain | Proto |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
Files
memory/5248-0-0x00007FFFF8623000-0x00007FFFF8625000-memory.dmp
memory/5248-1-0x0000000000790000-0x0000000000932000-memory.dmp
memory/5248-2-0x00007FFFF8620000-0x00007FFFF90E1000-memory.dmp
memory/5248-8-0x000000001B500000-0x000000001B510000-memory.dmp
memory/5248-16-0x000000001BF20000-0x000000001BF2A000-memory.dmp
memory/5248-17-0x000000001BE20000-0x000000001BE2C000-memory.dmp
memory/5248-15-0x000000001BE10000-0x000000001BE18000-memory.dmp
C:\aff403968f1bfcc42131676322798b50\sihost.exe
| MD5 | e9a05151dfc1c4c2e84f16e25d05f6ee |
| SHA1 | 4bced15dc17ebf0e95cb34558e093446d394b235 |
| SHA256 | f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1 |
| SHA512 | 6bd1a48e3d6a6a76b115bb6b6dddb95c5a39a890ca285f8d9470a6857d73c761225271ea513b1762641b373aa737b845261e0098e94ea8552ddd04226be804af |
memory/5248-14-0x000000001BE00000-0x000000001BE08000-memory.dmp
memory/5248-13-0x000000001B530000-0x000000001B53E000-memory.dmp
memory/5248-12-0x000000001B520000-0x000000001B52A000-memory.dmp
memory/5248-11-0x000000001B4F0000-0x000000001B4FC000-memory.dmp
memory/5248-10-0x000000001B4E0000-0x000000001B4EC000-memory.dmp
memory/5248-9-0x0000000002CB0000-0x0000000002CB8000-memory.dmp
memory/5248-7-0x0000000002CA0000-0x0000000002CA8000-memory.dmp
memory/5248-6-0x0000000002C80000-0x0000000002C96000-memory.dmp
memory/5248-5-0x0000000002C70000-0x0000000002C80000-memory.dmp
memory/5248-4-0x000000001B490000-0x000000001B4E0000-memory.dmp
memory/5248-3-0x0000000002C50000-0x0000000002C6C000-memory.dmp
C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe
| MD5 | 9f0891eaa75025a4b7c55a09cd953a14 |
| SHA1 | 6f20df61311e96cea70c11e2582b5983523c00f8 |
| SHA256 | 5a3e2a16533c60a8e75786910ad64607e3c6fbdd7391841df661417b1a237add |
| SHA512 | 220ca988f8bca54bfef4c8ba68463db3c51ce5ab810016e8657e957505d662d5daff595056118aea687e3d12fdd6e4893a356583d454f90fec1119a29c71514b |
C:\f9532e701a889cdd91b8\lsass.exe
| MD5 | dc98db65c10a6539b0f530be578305f8 |
| SHA1 | 068c4bcd0071e890544052253ef91d9be98a996b |
| SHA256 | 1696c3cb9ef5aebfd8875acf64668ebbe8fda28cc98fa00855a0d5fc03779486 |
| SHA512 | f5f0a68d394d0d25d1f9293a8e4d9db637398f34327512ae070b9dc44648f3bfa2f54de740a539da98b130a2c12b27c3cfd1a079f7fd5c658b0afe33cbf373c0 |
C:\Program Files\edge_BITS_4512_1294531004\RuntimeBroker.exe
| MD5 | 6ba35f00a2b8a2bfa64772e461d8023e |
| SHA1 | 5b07a609dd767a361aea2ef4d62dbe64aa413d76 |
| SHA256 | e182fbb788753a7f5361139ce1dc339f5e91700f19233f031fa574516e548d1b |
| SHA512 | 40612b876ea1c44ca349b738dbbfd7dbc192b02797071836a5635efd61d29c9411dde10063222fa32202baa598bec51699f0ada7dc57fe6cbd66669f9032e2b8 |
C:\f9532e701a889cdd91b8\dllhost.exe
| MD5 | b2109dc6a840d3a88727c40a8bbd66e3 |
| SHA1 | 1b2673f626dc4a4f486e14ea9a8764ec0702c1d6 |
| SHA256 | ff452cc9dd679bf3bd431ead23f8486cea86e2e45365d32e4eb3c28a7f941a96 |
| SHA512 | f48b9a12a679a55554fec699f1fb4f5637313983ad2b7fd70f6b25a9a19f9855a4f08b821a3b38e69f6f0c2c72e0e6a9a01923f12019f42b1b8b758ed549244e |
memory/5248-203-0x00007FFFF8623000-0x00007FFFF8625000-memory.dmp
memory/5248-227-0x00007FFFF8620000-0x00007FFFF90E1000-memory.dmp
memory/5360-306-0x0000022020E40000-0x0000022020E62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qosnf5nj.j03.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5248-433-0x00007FFFF8620000-0x00007FFFF90E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3357c199be211a745818714039e25935 |
| SHA1 | 7d50d07ff2e234f3d10a88363796cbd615b1e9a3 |
| SHA256 | 668bb751b77a8c5c53c7efcb71e3ee9b2902388e0503e6d6ad3647587a0a0a38 |
| SHA512 | 052751067bede3dba675313a1c0d88c0e76d62bbc903dbd9ba4cf2b8d03530716c021926bbe34242af9516a77e27df080d1cedde04d8cb51c88c1484ea8a1077 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 80dfd43d9904cb4bdd37f6934f47ccf8 |
| SHA1 | 72c0981be679ef6a22cbabbdc3e02a7e80a3eafc |
| SHA256 | a6e60a417d8c6649d78716bcfae64c452ca60367f2280f0b41d5febac503edad |
| SHA512 | 793f081a3c5f89a88e4472be0ee26f04f47cbba6a8c5af2710fb8d09a224fc7ded64ff68924325cce0b518f330458cdd0bfafbab9f805ddcc68393aa3f179247 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 566ef902c25833fe5f7f4484509fe364 |
| SHA1 | f8ba6651e7e4c64270e95aac690ad758fa3fc7f8 |
| SHA256 | 28265aaf259c60ae208b025f4c6b317c0799154b5d40d650bf44ef09f4805514 |
| SHA512 | b2c696820b775c0705884f606b4ac464d75d8d5e415bee2fb1e68d07ca288c953936d9286f277082fc11fbae24748c6a872f0be540be37190f0383c7b16820a3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7ebbb17f3791dea62cf267d83cf036a4 |
| SHA1 | 266c27acf64b85afd8380277f767cc54f91ab2b0 |
| SHA256 | 2345628c466a33c557a0fba468c06436ce7121c56e6260492c5d6ce52d05ba19 |
| SHA512 | 6e519f44c8d4e9fe752471f19ec9956e3cd6d73f741496d09bb0fb0c8f0048636b6a52204fa475436c0403d022500fd33452e0ad8f18b3ed2245b24b5bd7bb51 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 47d9df7fab0d0c96afdd2ca49f2b5030 |
| SHA1 | 92583883bcf376062ddef5db2333f066d8d36612 |
| SHA256 | 0f244dd39698dace2c650435886b1175ea01131e581d6c13888576c07fa40b02 |
| SHA512 | 1844ce4f35849b70c246127482040986caa1bbae2d81119c77e9841f2a3280aabae0ad0db52fc29fe48023b4f4c073fe759b1f54e70e1562289d5e349c015200 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1641de9a10da75d35edf03caa25212c1 |
| SHA1 | af73f64f8ce476c8e4eb56bb40426552d34c1ca8 |
| SHA256 | 5fbacccb41dad88018fad178d824e1dc4cdc48e08032d374ac88d37c88ee60c2 |
| SHA512 | 7123f9d69a0930a5143e442893cb2711bd9fd911f50e00f7b651ff8d448b78541ea0fa5f36452ad30e4c90ebfd1b1cc51e97422d6649089ec6b9f783ee6101e0 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9191187d695b2965f2ceb651f0b37ee8 |
| SHA1 | b50a4038fb94c8aa7cff8d6941a4329b5b2ae8c7 |
| SHA256 | 654a46452391ae3310ff9c6a4c820774e950276014fea044c41f007f6c335833 |
| SHA512 | 90094f44f83470c88c4fcecb239f70e8e791b3b3da628c00676e3c4791766808b4e31c12beef2a7bc7d6a12d05bd8150888461ed1ef7e9eebc8697f6955d63bc |
C:\Users\Admin\AppData\Local\Temp\cd6ef14e-444e-41fa-8cdb-2afd3974f32b.vbs
| MD5 | 2f7e570abe2320df6b67ca44d010587c |
| SHA1 | f30c32b31962bc391dc9d840abe0a73b1197f264 |
| SHA256 | 7906b2499e1cbcde85aa023e3c273b5316452d1ff65b8b1e84d168cb570ec1a2 |
| SHA512 | d80aca403ee6e9520bbb7308d8a7a8ba8c7d19487df03178ee466491f74a8011bd4370c52096ae1f86aa99060a62016936ad5078cad6719685c038a58b3ce468 |
C:\Users\Admin\AppData\Local\Temp\bb798b49-b016-4c9d-9684-1b318289344b.vbs
| MD5 | cac99b07d7c7c91a799a5e22c6184051 |
| SHA1 | 756abed185f12a59be91fd0b44fd166852e87933 |
| SHA256 | 25ed4aa0b3881547265796cd29fcfd70c0fd6b4f95982cf0159a8b0eb707c5de |
| SHA512 | 1858cbe5fe5cd010023cb3a01cc472c262c9d4685381e3e82f43c7a9e606f586ae6dcf4b36dc3d3a4289c76978411ecc7deed92d61f5ac318d3c15cc22f009cb |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
| MD5 | 3690a1c3b695227a38625dcf27bd6dac |
| SHA1 | c2ed91e98b120681182904fa2c7cd504e5c4b2f5 |
| SHA256 | 2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73 |
| SHA512 | 15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1 |
C:\Users\Admin\AppData\Local\Temp\ea2bcf2c-42de-481b-ba68-dab13f48d099.vbs
| MD5 | c8c3efea57ab8ab0be72e30a9039280f |
| SHA1 | 1b6b3d71bc5590b452b76061034355eefd258692 |
| SHA256 | 17477695efe3fe5be63b93f269ef0b606e3b878d3bfd4b87d07a5bcabcea284f |
| SHA512 | 1c5195b2fb5bd12512d22f3b8e20d7e37a3b7801cd5a6ffaf520f53c7b8bcbec74e05c85f9dfb7894d809dffce72c861458d5ec524acd8e30cc5bb1ce79f1f6f |
C:\Users\Admin\AppData\Local\Temp\1e56d159-9ba5-4529-9ace-ef93dadf5bc9.vbs
| MD5 | d346c3a705d728e68f84112b5792ece0 |
| SHA1 | 53ca4f7303368598cee78f792af359dbaa7947e9 |
| SHA256 | 023256810eae0be2c6440feb9a8a62ed2d648d7a56e2397884cd68397c898e1f |
| SHA512 | fb232677157e3766429aad3803c28810c79b4518138fa90236f09e759fcf60ed9b1514507074d98a30f2f8d54ea96f2f6be6c3fb73e2fdad368844ccd0f40162 |
C:\Users\Admin\AppData\Local\Temp\80af5370-3e97-42f3-ab5a-dbaa729360b7.vbs
| MD5 | 4f9bd8e7691748967c53fa4b09d55c85 |
| SHA1 | e4c8e5b0a90798184381dc551a10d0dd16b91fa2 |
| SHA256 | 77d82b5220af6713b1421ef9e650a3bdf856515f9860a767094d6c414426a0d0 |
| SHA512 | c27ff9d4f6c6d36513096f20976de7b8cc034573c21d97aa08086695b713a6ce78f2b89cb3da7fd453545b55660f088d4228e200f9ffb46764a0ba7a3ef6c0cd |
C:\Users\Admin\AppData\Local\Temp\53c3f99b-c2f4-45d5-834b-0df2ee43f0aa.vbs
| MD5 | ad5dbd5af5c94203f0ffd5e478cea2e6 |
| SHA1 | 32d0a8bd1915bd587a31bfdf611d1a2aff10bb63 |
| SHA256 | 37fc74689621b7bf46612115aef768395d058f8d516ded19aee8fff84cdfae84 |
| SHA512 | d1f0974b6a6a572d74e7fb9084e59349fca9b55df548d243f09fa03763c395c8bd90a1f42774ab83226d9de558c786af20c2a17f4c4689f73cf8fd6ff2d9832a |
C:\Users\Admin\AppData\Local\Temp\433587aa-aee6-45bb-ad29-1430cfdc9e0a.vbs
| MD5 | 1b1a6db2f0a02c741916661e90fcc277 |
| SHA1 | 734766500b7dd1f5384ac921a56ab3a7dbeb73cc |
| SHA256 | f50f1c0956d2981b52bce6b37c309fedcec734e8d9ba7c693cc8d0d8f83441c2 |
| SHA512 | c3bb06d2c911915ce3db5a9497a08e433cf74443052213767b8e23f72f2b1efd5f361af84027757375c1b94e72e1a5dc5e87e11b61c86818532ccf2996da0e40 |
C:\Users\Admin\AppData\Local\Temp\c694ebd2-8d37-4c7a-9a48-439b145cd78a.vbs
| MD5 | 227c31c9e80b16635e16d6034d8a7ada |
| SHA1 | bc30235aa1eb95daf15ae5f3624800b81443de96 |
| SHA256 | f32632d503890cd56d3f1f4d8b1add2ca86f5b4d60a7c514c8117bd97ba3e503 |
| SHA512 | 6831e90509d5c57b8b2bb2432d0b71de916cf29194dd060a23f8f51a9805a72580d0205818278ba58b3be206fd2654b4590b590ed08760527c8525b98bd4782f |
C:\Users\Admin\AppData\Local\Temp\36986f5d-8e90-431a-9429-a6619807d468.vbs
| MD5 | 89dd8847bfe19725f49262568335f753 |
| SHA1 | fa6e2b477ac53675b45e3689d5cba66136fed54a |
| SHA256 | 638818972644a5e91cec1dfb860d42060ac49d120467216ae7184ba52fc47a71 |
| SHA512 | 37ce02cacf939e557aaa669e1c07f1bb358f1f3cae1e837c344e7bc78c1a8ac72d6e8d09bc8eecf3014e8a5adec06af99cd84bc0c6210ef04e90243320da1b65 |
C:\Users\Admin\AppData\Local\Temp\bef0f73b-26fe-46f1-9c8b-3f72259cc06e.vbs
| MD5 | ddfa6d260b910f8a54d12287b0c9a308 |
| SHA1 | d38990728915fcdc48b6bdcd4c724f6fc92155f1 |
| SHA256 | 0489f2da98c43134d3d6d4f0042c4ff7cc4b3a7014e56b8839bc98d133774e0f |
| SHA512 | 3fafa8aea3f67b9389c5686abc9ad8184c68a959e105cc2e52e185355f5cba62db7dce2eba3b89a1bf2a9d911b8ea4f7ac5920e780fecf51d71472937482461f |
C:\Users\Admin\AppData\Local\Temp\98beb925-0032-47d2-b155-33386f613026.vbs
| MD5 | bf80419a1c2d21b5dca21bafbdef2d4b |
| SHA1 | ee4f26a71d33b3194f8b422416b7e86e6468d5a9 |
| SHA256 | 68f9cf9183a88fbce7382540abfdf24947a197b829ed94085f3f2c0c8ad0bc8f |
| SHA512 | df7bff36e452cc39adcda68b546048d3a75900ceea0b5fbc4bee9aac5546012f20ac74348565ec2f6c034aa602be9180e6e8ec8825d3faf4aa8638dfc537c4bb |
C:\Users\Admin\AppData\Local\Temp\fd78be60-0762-459c-8067-6abe9fc703bf.vbs
| MD5 | 9ced08ff22e42d2faab2f42288d429a9 |
| SHA1 | a6fc9681dd84b175bd8e5c7b161a0e94359cf5b4 |
| SHA256 | 844094974633c19ca22822901e8ae140ce02052d46bf03ad5d3d8fbb61dc87a6 |
| SHA512 | 853e607e54bd9b9f1758654459c0bb4c80372cf444cb101e21a2df213e9e40acceb37a9506316c3a142eb70930a63f6859aff04d43cbc5760417e0ec7a74f632 |
C:\Users\Admin\AppData\Local\Temp\65df6e56-8b5f-4698-8d05-383f052bf21f.vbs
| MD5 | 0e0a4d5548c918e819772d197351d2cf |
| SHA1 | 385cfa6c040e145f7ebc07c79c5c8a9e5e66f037 |
| SHA256 | 3e0109510fc4ef282e24fd22e26f07782ca9f65cf63ab10ac9b8bf7cd977b086 |
| SHA512 | 0f375b5e232db153ed28dbd473dca7bad712eba8131b5da800c06a103a4bd528b3f96fde1ccdd40799d6635825b011cdab8deccbddb674852051ad1511a6e702 |
Analysis: behavioral19
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win7-20241010-en
Max time kernel
122s
Max time network
132s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f36fde098314a27faa2d29aeb76c2bfb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f36fde098314a27faa2d29aeb76c2bfb.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f36fde098314a27faa2d29aeb76c2bfb.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f36fde098314a27faa2d29aeb76c2bfb.exe
"C:\Users\Admin\AppData\Local\Temp\f36fde098314a27faa2d29aeb76c2bfb.exe"
Network
Files
memory/1552-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp
memory/1552-1-0x000000013FBF0000-0x000000013FC5C000-memory.dmp
memory/1552-2-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/1552-3-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/1552-4-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
memory/1552-5-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp
memory/1552-6-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win10v2004-20250313-en
Max time kernel
36s
Max time network
152s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vpuqoz.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f3eedde12ec9a2f363c13d643bd2acdf.lnk | C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f3eedde12ec9a2f363c13d643bd2acdf.lnk | C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vpuqoz.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Windows\system32\reg.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f3eedde12ec9a2f363c13d643bd2acdf = "C:\\Users\\Admin\\AppData\\Roaming\\f3eedde12ec9a2f363c13d643bd2acdf.exe" | C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\Programmable | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0219-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\DeviceUpdateCenter | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Extensions\ContractId\Windows.File\PackageId\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F6342F2-D848-42E3-8995-C10A9EF9A3BA}\TypeLib | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{305900A9-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBC} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBA} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\cplfile\shell\cplopen\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B923FDE1-F08C-11D3-91B0-00105A0A19FD}\ProxyStubClsid32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\MicrosoftWindows.Client.CBS_120.2212.3920.0_x64__cw5n1h2txyewy\ActivatableClassId\InputApp.AppX654gddqdhxd9smyt91r9s0dr975jqnh9.mca\Custom | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03D4-0000-0000-C000-000000000046} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\7-Zip.tar\shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\AppXpwc46qrmp0f8q5ysxk6ngj8d32yk22kz\Shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBB} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0139-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0239-ABCDEFFEDCBA} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0327-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0319-ABCDEFFEDCBA} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.wab | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings\CurVer | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\vlc.exe\shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71985F4B-1CA1-11D3-9CC8-00C04F7971E0}\Instance\Microsoft ATSC Network Provider | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E4C18D40-1CD5-101C-B325-00AA001F3168}\VersionIndependentProgID | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\ActivatableClassId | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002088B-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mspaint.exe\SupportedTypes | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0206-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\opennewwindow | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ProxyStubClsid32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0136-ABCDEFFEDCBA} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0306-ABCDEFFEDCBB} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0139-ABCDEFFEDCBA} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0207-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E9729012-8271-4e1f-BC56-CF85F914915A}\TypeLib | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6F6E6E26-F123-437D-8CED-DC1D2BC0C3A9} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{941105E9-760A-49EC-995F-7668CB60216C}\ProxyStubClsid32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0E13A85-238A-4800-8315-D947C960A843} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0293-ABCDEFFEDCBA} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51A21C32-DD1F-4D3C-85F1-6F8A6172CA82}\ProxyStubClsid32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\OpenWithList\AcroRd32.exe | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CID\3f55c848-83c8-4649-9928-10a9f8aa72f8\CustomProperties | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BD21D30-EC42-11CE-9E0D-00AA006002F3}\Control | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4A8539E-015A-4F13-AE49-E78C1D9DA236} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\OpenWithList\notepad.exe | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020833-0000-0000-C000-000000000046}\MiscStatus | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0202-ABCDEFFEDCBA} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Chart.8\CLSID | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E2-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0185-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0042-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0178-ABCDEFFEDCBA} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5d69e663-e64e-5d4b-b50f-f6f34bdd9015}\ProxyStubClsid32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\AppX3p914qnpgw4hwj856jw2y286v7d4qnzh\Shell\open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0123-ABCDEFFEDCBB} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00000035-0000-0010-8000-00AA006D2EA4} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000208E1-0000-0000-C000-000000000046} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000209E1-0000-0000-C000-000000000046} | C:\Windows\system32\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 6020 wrote to memory of 2480 | N/A | C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe | C:\Users\Admin\AppData\Local\Temp\vpuqoz.exe |
| PID 6020 wrote to memory of 2480 | N/A | C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe | C:\Users\Admin\AppData\Local\Temp\vpuqoz.exe |
| PID 2480 wrote to memory of 6056 | N/A | C:\Users\Admin\AppData\Local\Temp\vpuqoz.exe | C:\Windows\System32\cmd.exe |
| PID 2480 wrote to memory of 6056 | N/A | C:\Users\Admin\AppData\Local\Temp\vpuqoz.exe | C:\Windows\System32\cmd.exe |
| PID 6056 wrote to memory of 2176 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 6056 wrote to memory of 2176 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\reg.exe |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe
"C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe"
C:\Users\Admin\AppData\Local\Temp\vpuqoz.exe
"C:\Users\Admin\AppData\Local\Temp\vpuqoz.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x3c8
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k reg delete HKCR /f
C:\Windows\system32\reg.exe
reg delete HKCR /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | request-busy.gl.at.ply.gg | udp |
| US | 147.185.221.27:6728 | request-busy.gl.at.ply.gg | tcp |
| US | 147.185.221.27:6728 | request-busy.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | udp | |
| N/A | 199.232.214.172:80 | tcp |
Files
memory/6020-1-0x0000000000F80000-0x0000000000F92000-memory.dmp
memory/6020-0-0x00007FFB2BE73000-0x00007FFB2BE75000-memory.dmp
memory/6020-8-0x00007FFB2BE70000-0x00007FFB2C931000-memory.dmp
memory/6020-9-0x00007FFB2BE73000-0x00007FFB2BE75000-memory.dmp
memory/6020-10-0x00007FFB2BE70000-0x00007FFB2C931000-memory.dmp
memory/6020-11-0x0000000003240000-0x000000000324A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vpuqoz.exe
| MD5 | 866805b3414d1f1ad797c8ef51e63860 |
| SHA1 | 7196fd0df3f92d9c3677927b9973db196b12f1e6 |
| SHA256 | e65a3ff4d43861f1096c7963b848d10c831c0990f0f75b76ae9a575179776355 |
| SHA512 | bcb38dbe1a3d8f3b0812b3ca244608f0ae96fd38489639efd4d7c7dfa2cfcce1fbf9820b35abc9cb90ce31b8c5b032a6cc6099dde6b44a0bc2f47d4e9cbae575 |
memory/2480-23-0x0000000000B50000-0x0000000000B5A000-memory.dmp
memory/2480-27-0x00007FFB2BE70000-0x00007FFB2C931000-memory.dmp
memory/2480-28-0x00007FFB2BE70000-0x00007FFB2C931000-memory.dmp
memory/2480-29-0x00007FFB2BE70000-0x00007FFB2C931000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:40
Platform
win7-20240903-en
Max time kernel
132s
Max time network
144s
Command Line
Signatures
AsyncRat
Asyncrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3032 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\f2728425ca601bdf06725c7584a8d848f1fb0d90fc28e219157556534d1b3999.exe | C:\Users\Admin\AppData\Local\Temp\loader.exe |
| PID 3032 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\f2728425ca601bdf06725c7584a8d848f1fb0d90fc28e219157556534d1b3999.exe | C:\Users\Admin\AppData\Local\Temp\loader.exe |
| PID 3032 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\f2728425ca601bdf06725c7584a8d848f1fb0d90fc28e219157556534d1b3999.exe | C:\Users\Admin\AppData\Local\Temp\loader.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f2728425ca601bdf06725c7584a8d848f1fb0d90fc28e219157556534d1b3999.exe
"C:\Users\Admin\AppData\Local\Temp\f2728425ca601bdf06725c7584a8d848f1fb0d90fc28e219157556534d1b3999.exe"
C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | health-eddie.gl.at.ply.gg | udp |
| US | 147.185.221.24:14888 | health-eddie.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:14888 | tcp | |
| US | 147.185.221.24:14888 | health-eddie.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:14888 | tcp | |
| US | 147.185.221.24:14888 | health-eddie.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:14888 | tcp | |
| N/A | 127.0.0.1:14888 | tcp | |
| US | 147.185.221.24:14888 | health-eddie.gl.at.ply.gg | tcp |
| US | 147.185.221.24:14888 | health-eddie.gl.at.ply.gg | tcp |
Files
memory/3032-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp
memory/3032-1-0x0000000000DA0000-0x0000000000DC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\loader.exe
| MD5 | 4aa7d943848162a275ed466ca2898d7b |
| SHA1 | 65b3e3df57c4d335bf2b90258854cc8cfd2a9381 |
| SHA256 | 45d059a5c9e81a2ccd5e7b40208f9daa28f097c6882ead7cea18ee0e5a9c51b9 |
| SHA512 | a952b7ef59a310227bf3f3399da9faf6969198f613b6ef09b6ea120e5f09427c7b39f9a1259194c38d116458274ca6aab27df8585dfa433560f617abdc6703de |
memory/2724-7-0x00000000009F0000-0x0000000000A06000-memory.dmp
memory/3032-8-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp
memory/2724-9-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp
memory/2724-10-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp
memory/2724-11-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp
memory/3032-12-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp
memory/2724-13-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win10v2004-20250314-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Documents\proDM\pdm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Documents\comPM\cpm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Documents\wpas mngr.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eset\bts.session\ac5ffe71-247f-4294-8c82-fa72beef95ab\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\wpas mngr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\proDM\pdm.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\comPM\cpm.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe" | C:\Users\Admin\Documents\proDM\pdm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe" | C:\Users\Admin\AppData\Local\Temp\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpasmngr = "C:\\Users\\Admin\\Documents\\wpas mngr.exe" | C:\Users\Admin\Documents\wpas mngr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe" | C:\Users\Admin\Documents\wpas mngr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpasmngr = "C:\\Users\\Admin\\Documents\\wpas mngr.exe" | C:\Users\Admin\Documents\proDM\pdm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpasmngr = "C:\\Users\\Admin\\Documents\\wpas mngr.exe" | C:\Users\Admin\Documents\comPM\cpm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe" | C:\Users\Admin\Documents\comPM\cpm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MPSSPDR16 = "C:\\Users\\Admin\\Documents\\mwps\\mwps.exe" | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eset\bts.session\ac5ffe71-247f-4294-8c82-fa72beef95ab\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f35d502490f7522150c06d1bd7ca12e2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\proDM\pdm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\wpas mngr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\comPM\cpm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\mwps\mwps.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f35d502490f7522150c06d1bd7ca12e2.exe
"C:\Users\Admin\AppData\Local\Temp\f35d502490f7522150c06d1bd7ca12e2.exe"
C:\Users\Admin\Documents\mwps\mwps.exe
"C:\Users\Admin\Documents\mwps\mwps.exe"
C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe
"C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe"
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\ac5ffe71-247f-4294-8c82-fa72beef95ab\f35d502490f7522150c06d1bd7ca12e2.exe
"C:\Users\Admin\AppData\Local\Temp\eset\bts.session\ac5ffe71-247f-4294-8c82-fa72beef95ab\f35d502490f7522150c06d1bd7ca12e2.exe" --bts-container 2652 "C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe"
C:\Users\Admin\Documents\wpas mngr.exe
"C:\Users\Admin\Documents\wpas mngr.exe"
C:\Users\Admin\Documents\proDM\pdm.exe
"C:\Users\Admin\Documents\proDM\pdm.exe"
C:\Users\Admin\Documents\comPM\cpm.exe
"C:\Users\Admin\Documents\comPM\cpm.exe"
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/2224-0-0x0000000075302000-0x0000000075303000-memory.dmp
memory/2224-1-0x0000000075300000-0x00000000758B1000-memory.dmp
memory/2224-2-0x0000000075300000-0x00000000758B1000-memory.dmp
C:\Users\Admin\Documents\mwps\mwps.exe
| MD5 | 307956cbcc6322cef0760b8bd174e081 |
| SHA1 | 4524c29dc44d0a6af35c3091ff63593558d8e0c1 |
| SHA256 | 32695f53c395ddaea37e5200349c9ad57d65c62fbc652265940ca9168604f5a7 |
| SHA512 | d3b61b9c08321eb9330ef55717bae55188401c89aa9284bea09357639c741e272dc217375dfe4e4be0e37958052a0c697c9aa3e387ec803a1d8b325a56eb737f |
memory/4764-17-0x0000000075300000-0x00000000758B1000-memory.dmp
memory/4764-18-0x0000000075300000-0x00000000758B1000-memory.dmp
memory/4764-24-0x0000000075300000-0x00000000758B1000-memory.dmp
C:\Users\Admin\Documents\Windows_Run_Ceneter_SIER\f35d502490f7522150c06d1bd7ca12e2.exe
| MD5 | e6873bdbb73ff60a4468f6e204cdbaee |
| SHA1 | cb42c4061adfb90257beff9eff4929503e0c1fc5 |
| SHA256 | c74123c90df3ded1f9d091b278cf68ce798bb3c7d99b34a46ac0bdff29374045 |
| SHA512 | 5cefe838d1da8c97b5664efc0c49e9e1652700bd16eb3fc1467bc54c05b2f124393d692df11034373fe496df060125baafdafc237f26be4f13e447f2c7e6cd45 |
memory/2224-30-0x0000000075300000-0x00000000758B1000-memory.dmp
memory/2224-29-0x0000000075300000-0x00000000758B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\ac5ffe71-247f-4294-8c82-fa72beef95ab\f35d502490f7522150c06d1bd7ca12e2.exe
| MD5 | 6e6fddaa8ecd3f759230a703dfce6d27 |
| SHA1 | 2ef696bc30d0ba48aa2af5c94787d056557fe21b |
| SHA256 | 3bc0f49207c2589667d540a9ee638daed3f350a4e943de22f135590484fd41e6 |
| SHA512 | cfb112e71e0f1841607f4a73b1bbf4c38170736ecdbde3138927d71f6f584d07f95dfe4b0f066e936af968abcbb9f88eef2db48a0a4b800a6cbb63188c643fca |
C:\Users\Admin\Documents\wpas mngr.exe
| MD5 | e03b00824eb87cdf8a4af0158b9f03b9 |
| SHA1 | 39d5d69b3f4e265e44b414ff98323e7332d4984c |
| SHA256 | 482a1c183b8db36574a67afcaad6057386c594480ac6e9b6fd31af6d19356524 |
| SHA512 | cddecdeabee507dcfdb4846ffb14ab6a95930b97be6bf4630feff1378d2b1386ef6feaeda84bc2b8386e5fea7724c19d95ad3e4c47561dd5e64365e52346cfd1 |
C:\Users\Admin\Documents\proDM\pdm.exe
| MD5 | e21b44a5ba5f2cf25a31600ed5678aa3 |
| SHA1 | d651ad21f565aae56c31fd5efeec2c99424eaf3f |
| SHA256 | a9831f4c9dc19ebd13158fd50c8df20e91b7a2568a142e9598f5e87da87aacd4 |
| SHA512 | bec72a0183fa6987cdcc1f528cd719d25bcb68233b77d3f6a0e4be3eeff084dc78c2e2b727c96e3a32326db358c7dc5359fdc657aa02115bfd7220413c206383 |
memory/3016-75-0x000000001C8F0000-0x000000001C98C000-memory.dmp
memory/3016-61-0x000000001C420000-0x000000001C8EE000-memory.dmp
C:\Users\Admin\Documents\comPM\cpm.exe
| MD5 | 015b69d2468b0454a04cc80027a65224 |
| SHA1 | 00eea83b7c91f8ea797e238827ccbc403c985f8b |
| SHA256 | ea65623a9e39191c0157c2cf541c397fecad15477c962594ee91033df463bd26 |
| SHA512 | 9f562242a04a5fe9f5b4fe8e1edd2bf1b171b75c834317a74c05621cad0605ca19ad2b3028ae60b72841b982b73fd972609f3c37879a50ba3cf69bf1838ea2b0 |
memory/3016-85-0x000000001BF00000-0x000000001BF08000-memory.dmp
memory/4764-86-0x0000000075300000-0x00000000758B1000-memory.dmp
memory/4764-87-0x0000000075300000-0x00000000758B1000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win10v2004-20250314-en
Max time kernel
104s
Max time network
132s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f36fde098314a27faa2d29aeb76c2bfb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f36fde098314a27faa2d29aeb76c2bfb.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f36fde098314a27faa2d29aeb76c2bfb.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f36fde098314a27faa2d29aeb76c2bfb.exe
"C:\Users\Admin\AppData\Local\Temp\f36fde098314a27faa2d29aeb76c2bfb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/1628-0-0x00007FFF94393000-0x00007FFF94395000-memory.dmp
memory/1628-1-0x00000210EDE00000-0x00000210EDE6C000-memory.dmp
memory/1628-2-0x00007FFF94390000-0x00007FFF94E51000-memory.dmp
memory/1628-3-0x00007FFF94390000-0x00007FFF94E51000-memory.dmp
memory/1628-4-0x00007FFF94393000-0x00007FFF94395000-memory.dmp
memory/1628-5-0x00007FFF94390000-0x00007FFF94E51000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win7-20241023-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Darkcomet
Darkcomet family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\ | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iz1617645185b.gnq | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\iz1617645185b.gnq\ = f332de6296862f6b64ff1148ab29d4958d915e9430a37040 | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f373a271fe4709f9373cd3f5d1519b4055cf99521118a2b8dc790e358b3e1472.exe
"C:\Users\Admin\AppData\Local\Temp\f373a271fe4709f9373cd3f5d1519b4055cf99521118a2b8dc790e358b3e1472.exe"
C:\Users\Admin\AppData\Local\Temp\Trojaner.exe
"C:\Users\Admin\AppData\Local\Temp\Trojaner.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Trojaner.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\Trojaner.exe" +s +h
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
Network
Files
memory/1236-0-0x000007FEF54B3000-0x000007FEF54B4000-memory.dmp
memory/1236-1-0x0000000001060000-0x00000000011FC000-memory.dmp
memory/2032-10-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/1236-9-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Trojaner.exe
| MD5 | 2cbc81bd2bba98618393305727b68d61 |
| SHA1 | 03ab51a5bb74f7fdeb7c5e88446c00a964e7d01a |
| SHA256 | 2ebecdbf36e47198d74d46b33fa5deceb9c6db379ce4c445730f8b1d034ca6dd |
| SHA512 | 9703dc5dd27c2b123f30160697012d3d0693813223722bf701fb67351718a804b2b9ec70b913340586a27fd836bb25d629a2a3d085adab212c91d90398457582 |
memory/2032-12-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2032-14-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2032-11-0x000000000048F000-0x0000000000491000-memory.dmp
memory/2032-17-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2900-37-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2900-19-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2032-49-0x0000000005AE0000-0x0000000005CC7000-memory.dmp
memory/2636-48-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2032-47-0x0000000005AE0000-0x0000000005CC7000-memory.dmp
memory/2032-46-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2636-51-0x0000000000400000-0x00000000005E7000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe
"C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe"
Network
| Country | Destination | Domain | Proto |
| FR | 135.125.21.41:1912 | tcp |
Files
memory/2840-1-0x0000000001110000-0x0000000001162000-memory.dmp
memory/2840-0-0x000000007447E000-0x000000007447F000-memory.dmp
memory/2840-2-0x0000000074470000-0x0000000074B5E000-memory.dmp
memory/2840-3-0x000000007447E000-0x000000007447F000-memory.dmp
memory/2840-4-0x0000000074470000-0x0000000074B5E000-memory.dmp
memory/2840-5-0x0000000074470000-0x0000000074B5E000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win10v2004-20250314-en
Max time kernel
103s
Max time network
148s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f329b3a2d6b8a4688e82ffe1c491b2ab.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f329b3a2d6b8a4688e82ffe1c491b2ab.exe
"C:\Users\Admin\AppData\Local\Temp\f329b3a2d6b8a4688e82ffe1c491b2ab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/3452-0-0x00007FF91F053000-0x00007FF91F055000-memory.dmp
memory/3452-1-0x0000000000BC0000-0x0000000000BD6000-memory.dmp
memory/3452-2-0x00007FF91F050000-0x00007FF91FB11000-memory.dmp
memory/3452-3-0x00007FF91F050000-0x00007FF91FB11000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win10v2004-20250314-en
Max time kernel
104s
Max time network
145s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe
"C:\Users\Admin\AppData\Local\Temp\f386c97ec32e28437b074ba6fb3311ed.exe"
Network
| Country | Destination | Domain | Proto |
| FR | 135.125.21.41:1912 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/876-0-0x00000000749FE000-0x00000000749FF000-memory.dmp
memory/876-1-0x0000000000CB0000-0x0000000000D02000-memory.dmp
memory/876-2-0x0000000005CF0000-0x0000000006294000-memory.dmp
memory/876-3-0x0000000005740000-0x00000000057D2000-memory.dmp
memory/876-4-0x0000000005700000-0x000000000570A000-memory.dmp
memory/876-5-0x00000000749F0000-0x00000000751A0000-memory.dmp
memory/876-6-0x00000000068C0000-0x0000000006ED8000-memory.dmp
memory/876-7-0x0000000005B60000-0x0000000005C6A000-memory.dmp
memory/876-8-0x0000000005890000-0x00000000058A2000-memory.dmp
memory/876-9-0x00000000058F0000-0x000000000592C000-memory.dmp
memory/876-10-0x0000000005A50000-0x0000000005A9C000-memory.dmp
memory/876-11-0x00000000063A0000-0x0000000006406000-memory.dmp
memory/876-12-0x0000000007DE0000-0x0000000007E30000-memory.dmp
memory/876-13-0x00000000749FE000-0x00000000749FF000-memory.dmp
memory/876-14-0x0000000007E30000-0x0000000007FF2000-memory.dmp
memory/876-15-0x00000000749F0000-0x00000000751A0000-memory.dmp
memory/876-16-0x0000000008530000-0x0000000008A5C000-memory.dmp
memory/876-18-0x00000000749F0000-0x00000000751A0000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win10v2004-20250314-en
Max time kernel
103s
Max time network
141s
Command Line
Signatures
DcRat
Dcrat family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\fontdrvhost.exe\", \"C:\\4d7dcf6448637544ea7e961be1ad\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\fontdrvhost.exe\", \"C:\\4d7dcf6448637544ea7e961be1ad\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\fontdrvhost.exe\", \"C:\\4d7dcf6448637544ea7e961be1ad\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\Users\\Public\\Documents\\My Music\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Music\OfficeClickToRun.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\4d7dcf6448637544ea7e961be1ad\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\4d7dcf6448637544ea7e961be1ad\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Public\\Documents\\My Music\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Fonts\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Fonts\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Public\\Documents\\My Music\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\5b884080fd4f94 | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\088424020bedd6 | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\en-US\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXA1A2.tmp | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Fonts\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Windows\Fonts\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File created | C:\Windows\Fonts\5940a34987c991 | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| File opened for modification | C:\Windows\Fonts\RCX9F9D.tmp | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\My Music\OfficeClickToRun.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\Documents\My Music\OfficeClickToRun.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4696 wrote to memory of 4784 | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe |
| PID 4696 wrote to memory of 4784 | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe |
| PID 4784 wrote to memory of 392 | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | C:\Users\Public\Documents\My Music\OfficeClickToRun.exe |
| PID 4784 wrote to memory of 392 | N/A | C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe | C:\Users\Public\Documents\My Music\OfficeClickToRun.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe
"C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe
"C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\4d7dcf6448637544ea7e961be1ad\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\4d7dcf6448637544ea7e961be1ad\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Music\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Users\Public\Documents\My Music\OfficeClickToRun.exe
"C:\Users\Public\Documents\My Music\OfficeClickToRun.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| RU | 109.107.189.197:80 | tcp | |
| RU | 109.107.189.197:80 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/4696-0-0x00007FFC19ED3000-0x00007FFC19ED5000-memory.dmp
memory/4696-1-0x0000000000570000-0x000000000069C000-memory.dmp
memory/4696-2-0x00007FFC19ED0000-0x00007FFC1A991000-memory.dmp
memory/4696-3-0x00000000028A0000-0x00000000028BC000-memory.dmp
memory/4696-5-0x00000000028C0000-0x00000000028D0000-memory.dmp
memory/4696-7-0x00000000028D0000-0x00000000028E2000-memory.dmp
memory/4696-6-0x000000001B2D0000-0x000000001B2E6000-memory.dmp
memory/4696-4-0x000000001B860000-0x000000001B8B0000-memory.dmp
memory/4696-8-0x000000001B310000-0x000000001B320000-memory.dmp
memory/4696-9-0x000000001B2F0000-0x000000001B2FC000-memory.dmp
memory/4696-10-0x000000001B300000-0x000000001B312000-memory.dmp
memory/4696-11-0x000000001C060000-0x000000001C588000-memory.dmp
memory/4696-14-0x000000001B9C0000-0x000000001B9CC000-memory.dmp
memory/4696-13-0x000000001B9B0000-0x000000001B9BE000-memory.dmp
memory/4696-12-0x000000001B340000-0x000000001B348000-memory.dmp
C:\Recovery\WindowsRE\System.exe
| MD5 | f3873b73a0b2ef5c54ba8ed8a571bc14 |
| SHA1 | 404a503b0a98f21c4adc006ebd7a51466aa1e52d |
| SHA256 | e38968cd849bfac11b8dc61f6945e406dc8fefed82db482d87579b61649cd08f |
| SHA512 | 02f343a965daa821e8f14fda3cc296beb8dac814b6618c20506c5afd9625c8108f868463b9318ace1c6e5600abecf1236751846794879bc465c08e3dfa22515a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f3873b73a0b2ef5c54ba8ed8a571bc14.exe.log
| MD5 | bbb951a34b516b66451218a3ec3b0ae1 |
| SHA1 | 7393835a2476ae655916e0a9687eeaba3ee876e9 |
| SHA256 | eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a |
| SHA512 | 63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f |
memory/4696-49-0x00007FFC19ED0000-0x00007FFC1A991000-memory.dmp
memory/4784-50-0x000000001B9E0000-0x000000001B9F2000-memory.dmp
memory/4784-51-0x000000001C170000-0x000000001C182000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8651dc5980c60d5fc9efb2ba2d74320fcf09dd1b4.5.33labrador55b829c6e7a180740212f4a04459251de059830a
| MD5 | 72eee02dfc5fb1064d6550c696a00ece |
| SHA1 | 62b70a5fa90583ff784b4c1f7342e29cde06bd9e |
| SHA256 | c16865dc6ae2b788c66b2938f5a91f1bb08eaf19b4af230791e2857485bd873e |
| SHA512 | ba831b5e1835a3f570b69d68de4f9327b73f995f6db4d153e83393901b0c4a52c62b313494f508356cec6eab0928fe77910feb7d0559a417e7bae12e56c890f4 |
memory/392-81-0x0000000002CC0000-0x0000000002CD2000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win7-20241023-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Njrat family
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f8635990ea5e4f2c51d6306732973d.exe | C:\Users\Admin\AppData\Roaming\discord.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f8635990ea5e4f2c51d6306732973d.exe | C:\Users\Admin\AppData\Roaming\discord.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\discord.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3ef636642aed1dd87c2fc6ee6307e36.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\08f8635990ea5e4f2c51d6306732973d = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord.exe\" .." | C:\Users\Admin\AppData\Roaming\discord.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\08f8635990ea5e4f2c51d6306732973d = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord.exe\" .." | C:\Users\Admin\AppData\Roaming\discord.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3ef636642aed1dd87c2fc6ee6307e36.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\discord.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f3ef636642aed1dd87c2fc6ee6307e36.exe
"C:\Users\Admin\AppData\Local\Temp\f3ef636642aed1dd87c2fc6ee6307e36.exe"
C:\Users\Admin\AppData\Roaming\discord.exe
"C:\Users\Admin\AppData\Roaming\discord.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\discord.exe" "discord.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
Files
memory/2764-0-0x0000000074C81000-0x0000000074C82000-memory.dmp
memory/2764-1-0x0000000074C80000-0x000000007522B000-memory.dmp
memory/2764-2-0x0000000074C80000-0x000000007522B000-memory.dmp
C:\Users\Admin\AppData\Roaming\discord.exe
| MD5 | f3ef636642aed1dd87c2fc6ee6307e36 |
| SHA1 | 72e007f5a29963808e9fdcfecdf2024838373d43 |
| SHA256 | d04269233c1dae486565f17a4e83c5f89463e8f070d1e91a2c9f736278bbb62f |
| SHA512 | 24af2746679a052e7842e5ab46007c470349163fa97e6e485b49b9d8e7eb8e9720b97e84b6b21f085b7f16868607110cb51ee93e2730703a153fe105ce912560 |
memory/2764-11-0x0000000074C80000-0x000000007522B000-memory.dmp
memory/2136-12-0x0000000074C80000-0x000000007522B000-memory.dmp
memory/2136-10-0x0000000074C80000-0x000000007522B000-memory.dmp
memory/2136-14-0x0000000074C80000-0x000000007522B000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:40
Platform
win10v2004-20250314-en
Max time kernel
131s
Max time network
149s
Command Line
Signatures
AsyncRat
Asyncrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f2728425ca601bdf06725c7584a8d848f1fb0d90fc28e219157556534d1b3999.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\loader.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 556 wrote to memory of 812 | N/A | C:\Users\Admin\AppData\Local\Temp\f2728425ca601bdf06725c7584a8d848f1fb0d90fc28e219157556534d1b3999.exe | C:\Users\Admin\AppData\Local\Temp\loader.exe |
| PID 556 wrote to memory of 812 | N/A | C:\Users\Admin\AppData\Local\Temp\f2728425ca601bdf06725c7584a8d848f1fb0d90fc28e219157556534d1b3999.exe | C:\Users\Admin\AppData\Local\Temp\loader.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f2728425ca601bdf06725c7584a8d848f1fb0d90fc28e219157556534d1b3999.exe
"C:\Users\Admin\AppData\Local\Temp\f2728425ca601bdf06725c7584a8d848f1fb0d90fc28e219157556534d1b3999.exe"
C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | health-eddie.gl.at.ply.gg | udp |
| US | 147.185.221.24:14888 | health-eddie.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 147.185.221.24:14888 | health-eddie.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| N/A | 127.0.0.1:14888 | tcp | |
| N/A | 127.0.0.1:14888 | tcp | |
| N/A | 127.0.0.1:14888 | tcp | |
| N/A | 127.0.0.1:14888 | tcp | |
| N/A | 127.0.0.1:14888 | tcp | |
| N/A | 127.0.0.1:14888 | tcp | |
| US | 147.185.221.24:14888 | health-eddie.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:14888 | tcp | |
| US | 147.185.221.24:14888 | health-eddie.gl.at.ply.gg | tcp |
Files
memory/556-0-0x00007FFA52963000-0x00007FFA52965000-memory.dmp
memory/556-1-0x0000000000B20000-0x0000000000B48000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\loader.exe
| MD5 | 4aa7d943848162a275ed466ca2898d7b |
| SHA1 | 65b3e3df57c4d335bf2b90258854cc8cfd2a9381 |
| SHA256 | 45d059a5c9e81a2ccd5e7b40208f9daa28f097c6882ead7cea18ee0e5a9c51b9 |
| SHA512 | a952b7ef59a310227bf3f3399da9faf6969198f613b6ef09b6ea120e5f09427c7b39f9a1259194c38d116458274ca6aab27df8585dfa433560f617abdc6703de |
memory/556-12-0x00007FFA52960000-0x00007FFA53421000-memory.dmp
memory/812-14-0x00000000006E0000-0x00000000006F6000-memory.dmp
memory/812-15-0x00007FFA52960000-0x00007FFA53421000-memory.dmp
memory/812-16-0x00007FFA52960000-0x00007FFA53421000-memory.dmp
memory/812-17-0x00007FFA52960000-0x00007FFA53421000-memory.dmp
memory/556-19-0x00007FFA52960000-0x00007FFA53421000-memory.dmp
memory/812-20-0x00007FFA52960000-0x00007FFA53421000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win10v2004-20250314-en
Max time kernel
101s
Max time network
140s
Command Line
Signatures
Darkcomet
Darkcomet family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f373a271fe4709f9373cd3f5d1519b4055cf99521118a2b8dc790e358b3e1472.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\ | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\iz1617645185b.gnq | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\iz1617645185b.gnq\ = f938d4689c8c25616ef51b42a123de9fbda16ea400934070 | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Trojaner.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f373a271fe4709f9373cd3f5d1519b4055cf99521118a2b8dc790e358b3e1472.exe
"C:\Users\Admin\AppData\Local\Temp\f373a271fe4709f9373cd3f5d1519b4055cf99521118a2b8dc790e358b3e1472.exe"
C:\Users\Admin\AppData\Local\Temp\Trojaner.exe
"C:\Users\Admin\AppData\Local\Temp\Trojaner.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Trojaner.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\Trojaner.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/2280-0-0x00007FFABA263000-0x00007FFABA265000-memory.dmp
memory/2280-1-0x0000000000680000-0x000000000081C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Trojaner.exe
| MD5 | 2cbc81bd2bba98618393305727b68d61 |
| SHA1 | 03ab51a5bb74f7fdeb7c5e88446c00a964e7d01a |
| SHA256 | 2ebecdbf36e47198d74d46b33fa5deceb9c6db379ce4c445730f8b1d034ca6dd |
| SHA512 | 9703dc5dd27c2b123f30160697012d3d0693813223722bf701fb67351718a804b2b9ec70b913340586a27fd836bb25d629a2a3d085adab212c91d90398457582 |
memory/2280-10-0x00007FFABA260000-0x00007FFABAD21000-memory.dmp
memory/1080-14-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2280-16-0x00007FFABA260000-0x00007FFABAD21000-memory.dmp
memory/1080-17-0x000000000048F000-0x0000000000491000-memory.dmp
memory/1080-18-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/1080-19-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/1080-22-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/4988-24-0x00000000004F0000-0x00000000004F1000-memory.dmp
memory/1080-83-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2424-85-0x0000000000400000-0x00000000005E7000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win7-20240903-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3a76e96152f78dfc595c893cc231178.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" | C:\Users\Admin\AppData\Local\Temp\f3a76e96152f78dfc595c893cc231178.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2864 set thread context of 2708 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
| PID 2864 set thread context of 1860 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3a76e96152f78dfc595c893cc231178.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f3a76e96152f78dfc595c893cc231178.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f3a76e96152f78dfc595c893cc231178.exe
"C:\Users\Admin\AppData\Local\Temp\f3a76e96152f78dfc595c893cc231178.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.157:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 23.192.18.101:80 | www.microsoft.com | tcp |
Files
memory/2380-0-0x0000000074061000-0x0000000074062000-memory.dmp
memory/2380-9-0x0000000074060000-0x000000007460B000-memory.dmp
memory/2380-1-0x0000000074060000-0x000000007460B000-memory.dmp
memory/2380-11-0x0000000074060000-0x000000007460B000-memory.dmp
memory/2380-10-0x0000000074060000-0x000000007460B000-memory.dmp
memory/2380-23-0x0000000074060000-0x000000007460B000-memory.dmp
memory/2380-24-0x0000000074060000-0x000000007460B000-memory.dmp
C:\Users\Admin\AppData\Roaming\app.exe
| MD5 | e943a3c1587a1c6120f9709dee445a23 |
| SHA1 | d2c13d8b1d19a16e3f472f2c02a5ecc9c8518593 |
| SHA256 | 2fa77c39c58c73c3aa7e9fb617256eb893cb64ad0c3d27a2558e73d9b85804c9 |
| SHA512 | 86a2638f1367eed8bf6237c5647367a9633980932e88c62723f26ccf25a8af304b9d6960489199ae8f8ad0e2160260bd66367ff21d57b8b3b48f2f0d9aa875f4 |
memory/2864-32-0x0000000074060000-0x000000007460B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab36F8.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2380-31-0x0000000074060000-0x000000007460B000-memory.dmp
memory/2864-41-0x0000000074060000-0x000000007460B000-memory.dmp
memory/2864-40-0x0000000074060000-0x000000007460B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar4471.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
| MD5 | 5a733ef0de5e31e2e4b4abb016c0f251 |
| SHA1 | 28644040a6deac35c20fa931b5d003a97293363e |
| SHA256 | a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7 |
| SHA512 | 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9 |
memory/2708-85-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2708-84-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1860-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2708-68-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2708-66-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2708-73-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2708-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2708-70-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2708-64-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2864-56-0x0000000074060000-0x000000007460B000-memory.dmp
memory/2864-89-0x0000000074060000-0x000000007460B000-memory.dmp
memory/2864-88-0x0000000074060000-0x000000007460B000-memory.dmp
memory/2864-92-0x0000000074060000-0x000000007460B000-memory.dmp
memory/2864-93-0x0000000074060000-0x000000007460B000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win10v2004-20250314-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f3a76e96152f78dfc595c893cc231178.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" | C:\Users\Admin\AppData\Local\Temp\f3a76e96152f78dfc595c893cc231178.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4220 set thread context of 5856 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
| PID 4220 set thread context of 1280 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3a76e96152f78dfc595c893cc231178.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f3a76e96152f78dfc595c893cc231178.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f3a76e96152f78dfc595c893cc231178.exe
"C:\Users\Admin\AppData\Local\Temp\f3a76e96152f78dfc595c893cc231178.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/532-0-0x0000000074C52000-0x0000000074C53000-memory.dmp
memory/532-1-0x0000000074C50000-0x0000000075201000-memory.dmp
memory/532-2-0x0000000074C50000-0x0000000075201000-memory.dmp
memory/532-3-0x0000000074C50000-0x0000000075201000-memory.dmp
memory/532-4-0x0000000074C50000-0x0000000075201000-memory.dmp
memory/532-16-0x0000000074C52000-0x0000000074C53000-memory.dmp
memory/532-17-0x0000000074C50000-0x0000000075201000-memory.dmp
memory/532-18-0x0000000074C50000-0x0000000075201000-memory.dmp
C:\Users\Admin\AppData\Roaming\app.exe
| MD5 | 09b8c0e63618818684d4fdc6094eabee |
| SHA1 | 1f93bbf97a285c4c2b5a880d098a6f6e8859bf81 |
| SHA256 | 333d312617758f710f360453471965979ace34ee8dfce095c47900385d60db65 |
| SHA512 | be3553786ae45f61cf4a922cb8c97d8cb94a4936f4b7abff9bebf4457dd9e5c464777ac32d2fc0b7840feb5bb4c0743557728d3a41e977595330d45b92184753 |
memory/532-29-0x0000000074C50000-0x0000000075201000-memory.dmp
memory/4220-30-0x0000000074C50000-0x0000000075201000-memory.dmp
memory/4220-32-0x0000000074C50000-0x0000000075201000-memory.dmp
memory/4220-31-0x0000000074C50000-0x0000000075201000-memory.dmp
memory/4300-34-0x0000000074C50000-0x0000000075201000-memory.dmp
memory/4300-35-0x0000000074C50000-0x0000000075201000-memory.dmp
memory/4300-36-0x0000000074C50000-0x0000000075201000-memory.dmp
memory/4220-37-0x0000000074C50000-0x0000000075201000-memory.dmp
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
| MD5 | 5a733ef0de5e31e2e4b4abb016c0f251 |
| SHA1 | 28644040a6deac35c20fa931b5d003a97293363e |
| SHA256 | a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7 |
| SHA512 | 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9 |
memory/5856-52-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aspnet_compiler.exe.log
| MD5 | b3ac9d09e3a47d5fd00c37e075a70ecb |
| SHA1 | ad14e6d0e07b00bd10d77a06d68841b20675680b |
| SHA256 | 7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432 |
| SHA512 | 09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316 |
memory/4220-56-0x0000000074C50000-0x0000000075201000-memory.dmp
memory/4220-59-0x0000000074C50000-0x0000000075201000-memory.dmp
memory/4300-60-0x0000000074C50000-0x0000000075201000-memory.dmp
memory/4300-61-0x0000000074C50000-0x0000000075201000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:40
Platform
win7-20240903-en
Max time kernel
134s
Max time network
145s
Command Line
Signatures
NanoCore
Nanocore family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f27c4963784ed1d311afd03bdfbe000f499b67edd16c4af85d34e547b892ca29.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" | C:\Users\Admin\AppData\Local\Temp\f27c4963784ed1d311afd03bdfbe000f499b67edd16c4af85d34e547b892ca29.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2496 set thread context of 2984 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f27c4963784ed1d311afd03bdfbe000f499b67edd16c4af85d34e547b892ca29.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f27c4963784ed1d311afd03bdfbe000f499b67edd16c4af85d34e547b892ca29.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f27c4963784ed1d311afd03bdfbe000f499b67edd16c4af85d34e547b892ca29.exe
"C:\Users\Admin\AppData\Local\Temp\f27c4963784ed1d311afd03bdfbe000f499b67edd16c4af85d34e547b892ca29.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "IMAP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCCFF.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 23.192.18.101:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| SE | 91.236.116.142:5888 | tcp | |
| SE | 91.236.116.142:5888 | tcp | |
| SE | 91.236.116.142:5888 | tcp | |
| SE | 91.236.116.142:5888 | tcp |
Files
memory/2980-0-0x00000000745F1000-0x00000000745F2000-memory.dmp
memory/2980-1-0x00000000745F0000-0x0000000074B9B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar828D.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\Cab827B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2980-9-0x00000000745F0000-0x0000000074B9B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar8526.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6b64c81113fabfb7c4ccfb81a776a498 |
| SHA1 | 77aa208d11ff107c06b1397fc507fb61ad209a1b |
| SHA256 | b48c5bf04694adbb10328b96f78dc4760b853eb8db6789418ca32c90043b82e3 |
| SHA512 | 5e837ab9c0a226a2f00fd4b79779491d87747963b912aeaeecd681c460628929a25755960969ff286926942881f16cc1a1ce7efff1abfac367c094e6bc1e6d3d |
memory/2980-185-0x00000000745F0000-0x0000000074B9B000-memory.dmp
memory/2980-186-0x00000000745F0000-0x0000000074B9B000-memory.dmp
memory/2980-187-0x00000000745F0000-0x0000000074B9B000-memory.dmp
C:\Users\Admin\AppData\Roaming\app.exe
| MD5 | ae438e05ae8dfe2a226d2c48f346a51a |
| SHA1 | 11a8cd7df4608c203185bd52bea2320218482045 |
| SHA256 | 4126fc8665c37df0e1a3b33c343864ee740906623c4203f15f2800c6a477e787 |
| SHA512 | 3c4cf2f38dfa5923713e7a961737c650c931c7405e87451dddd9c4b4a6ca80965404837397b77d4a77804bc3296637fe765628b7dd00d732fb9b9654c37ef44c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a5883e7b08e409b51f2af3e5673f2f1e |
| SHA1 | 9756b0c8851196a652a97b05377f44a19bb7dc71 |
| SHA256 | 136a163077da14661fadcb7ecea9db33926978e9d404320221cad9d4fea23858 |
| SHA512 | 93f8d6164b75d30d6efc758e48e47afee9363cdef30652b1cfdb92aa012e8ffdfc02259f423c626f3bffe2961b893de3db1909019be45a2f27587098d9dd3861 |
memory/2496-206-0x00000000745F0000-0x0000000074B9B000-memory.dmp
memory/2980-205-0x00000000745F0000-0x0000000074B9B000-memory.dmp
memory/2496-220-0x00000000745F0000-0x0000000074B9B000-memory.dmp
memory/2984-228-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2496-234-0x00000000745F0000-0x0000000074B9B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCCFF.tmp
| MD5 | d81eb43d26d4511c44151cba2eb45983 |
| SHA1 | 135c98e039c6ab35d4e9564f15f9c56dc9dbeb9a |
| SHA256 | a72a8f6434d6b0fb904db5adc8cab891d12c53b4ac1435dfd13df51f84a2d4d0 |
| SHA512 | b5895c19159d23a8fa312967e47d0855ac6f8f314f8931f54469b0c0079a22e9e00a5eaf6729761f74d54e111454d49813e658243e920a9c3434a5576cdda721 |
memory/2984-231-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2984-233-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2984-232-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2984-230-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2984-226-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2984-224-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2984-222-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:40
Platform
win10v2004-20250314-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Windows Defender\es-ES\RCX93DB.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX9891.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\es-ES\TextInputHost.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Shared Gadgets\RCX9148.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\es-ES\RCX935D.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX98FF.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\121e5b5079f7c0 | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\es-ES\TextInputHost.exe | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\es-ES\22eafd247d37c3 | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Shared Gadgets\eddb19405b7ce1 | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Shared Gadgets\RCX9138.tmp | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe
"C:\Users\Admin\AppData\Local\Temp\f2e7cee938a991ef6e4a0fcb64efc69a.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\d25f591a00514bc9ba8441\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\d25f591a00514bc9ba8441\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\d25f591a00514bc9ba8441\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2ryfxXmZBx.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be4451b6-e715-4386-8795-34d7a0b92748.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bda69bc-bcf6-440d-aff4-266b25210048.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a4e92d7-3bfe-431a-9ae9-dd80f475584a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e885833b-612d-45b9-8263-9047d2f564c9.vbs"
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0c6bbe1-ac17-4767-ae4d-ec12e47da5b3.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f799eb6e-568b-47f3-b2f2-81d4545f7771.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a1087172.xsph.ru | udp |
| RU | 141.8.197.42:80 | a1087172.xsph.ru | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| RU | 141.8.197.42:80 | a1087172.xsph.ru | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| RU | 141.8.197.42:80 | a1087172.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a1087172.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a1087172.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a1087172.xsph.ru | tcp |
Files
memory/5072-0-0x00007FFDE7DF3000-0x00007FFDE7DF5000-memory.dmp
memory/5072-1-0x0000000000900000-0x0000000000C4E000-memory.dmp
memory/5072-2-0x00007FFDE7DF0000-0x00007FFDE88B1000-memory.dmp
memory/5072-3-0x0000000002CC0000-0x0000000002CCE000-memory.dmp
memory/5072-4-0x0000000002CD0000-0x0000000002CD8000-memory.dmp
memory/5072-5-0x0000000002D40000-0x0000000002D5C000-memory.dmp
memory/5072-6-0x000000001BF40000-0x000000001BF90000-memory.dmp
memory/5072-9-0x000000001B7B0000-0x000000001B7C6000-memory.dmp
memory/5072-8-0x000000001B7A0000-0x000000001B7B0000-memory.dmp
memory/5072-10-0x000000001B7D0000-0x000000001B7D8000-memory.dmp
memory/5072-7-0x0000000002D60000-0x0000000002D68000-memory.dmp
memory/5072-11-0x000000001B7E0000-0x000000001B7F2000-memory.dmp
memory/5072-12-0x000000001B810000-0x000000001B820000-memory.dmp
memory/5072-13-0x000000001B7F0000-0x000000001B7FA000-memory.dmp
memory/5072-14-0x000000001C090000-0x000000001C0E6000-memory.dmp
memory/5072-15-0x000000001B800000-0x000000001B80C000-memory.dmp
memory/5072-16-0x000000001B820000-0x000000001B828000-memory.dmp
memory/5072-17-0x000000001C0E0000-0x000000001C0EC000-memory.dmp
memory/5072-18-0x000000001C0F0000-0x000000001C0F8000-memory.dmp
memory/5072-19-0x000000001C100000-0x000000001C112000-memory.dmp
memory/5072-20-0x000000001C660000-0x000000001CB88000-memory.dmp
memory/5072-24-0x000000001C160000-0x000000001C16C000-memory.dmp
memory/5072-23-0x000000001C150000-0x000000001C158000-memory.dmp
memory/5072-22-0x000000001C140000-0x000000001C14C000-memory.dmp
memory/5072-21-0x000000001C130000-0x000000001C13C000-memory.dmp
memory/5072-25-0x000000001C170000-0x000000001C17C000-memory.dmp
memory/5072-27-0x000000001C500000-0x000000001C50C000-memory.dmp
memory/5072-31-0x000000001C400000-0x000000001C40E000-memory.dmp
memory/5072-30-0x000000001C2A0000-0x000000001C2A8000-memory.dmp
memory/5072-29-0x000000001C290000-0x000000001C29E000-memory.dmp
memory/5072-28-0x000000001C280000-0x000000001C28A000-memory.dmp
memory/5072-26-0x000000001C3F0000-0x000000001C3F8000-memory.dmp
memory/5072-35-0x000000001C3E0000-0x000000001C3EA000-memory.dmp
memory/5072-34-0x000000001C3D0000-0x000000001C3D8000-memory.dmp
memory/5072-33-0x000000001C3C0000-0x000000001C3CC000-memory.dmp
memory/5072-32-0x000000001C3B0000-0x000000001C3B8000-memory.dmp
memory/5072-36-0x000000001C410000-0x000000001C41C000-memory.dmp
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe
| MD5 | f2e7cee938a991ef6e4a0fcb64efc69a |
| SHA1 | a256643993c2ad1e86be6209dd3cf457ba6e6865 |
| SHA256 | b874ba54767cb863c42144303d87a6cba7c13b2cb36d10ecc714b226b1732d03 |
| SHA512 | af637f0038ac2afe4ab315c514ceb79540c54c5cd59128a7a1726c022c3846e57fb5d762360b9db5f34605e7134203f058c693edfb8b5d9d07b86dbc346f451b |
C:\Program Files (x86)\Windows Defender\es-ES\TextInputHost.exe
| MD5 | cb49c1c418a11b8ff24a767349a610db |
| SHA1 | 12270bccbf10b7f1bc12097059799f7f8c6f221a |
| SHA256 | d2553911b41aab2269e2572bcda040f2824f656c05fe41107993787bf3ee2f03 |
| SHA512 | c9526008f7c34d421d77f8a4192d8d823e2c641a8d1f4963a63d470c0b9b9deced05756847d792769261d7002c7a13d570d7310b1a40f12d8924f307bf2d1025 |
C:\Recovery\WindowsRE\RuntimeBroker.exe
| MD5 | a4472e8fb7d2633ba3ad94aaac30921d |
| SHA1 | 0523dccef5ac38bf6b164f9df027627d54ac44ca |
| SHA256 | aacbd3d62d42d47cf8476e543fa06ee79f0dbe7d110a65360cf05fd1f111c1f9 |
| SHA512 | 9bc839d3b17b718da71cca5c51ff1d435182ddf98570023b7ed6d096f8b16b5b4416d7df470b2f01c22e6e8314775dccca76cbf9f8272d672932d816f58d62bb |
memory/5072-170-0x00007FFDE7DF0000-0x00007FFDE88B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2ryfxXmZBx.bat
| MD5 | 67ea93bb5e0a79891dd1f0700aadd39b |
| SHA1 | ad02f167c9e7b475f82c533d8795705056907529 |
| SHA256 | 8cad197809a686a1ebdce21c234535ae96ed1abc9291f7de19bd9d45c10c4d5b |
| SHA512 | c0b0141f0139750f50304c1721048ad72bda00b33e7512535df486216fa2f413b6394c677de7ed47c146e502feda19200a53d52f36858d5e4a56285938d0d7b0 |
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe
| MD5 | 2ef88a705579b957f43eb6c6d0334cf3 |
| SHA1 | 7aad3a74ad328bf739923dd7cbae17853e6d6e8f |
| SHA256 | 95a7aae2e804fd86356086475c3e45d6699ff221e183bf121188082b9ce354e8 |
| SHA512 | 99a83760f69e1d96bf6b8babdeff9d37c66802f26d14569924ec49bcbbc298d045b66cdf7a175afe7a33a90662f17141ed0c6eb7643b26bc35e936def86d1118 |
memory/1292-175-0x0000000000100000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\be4451b6-e715-4386-8795-34d7a0b92748.vbs
| MD5 | 225a4eb3f83c80f8ed2f53d57b0297d9 |
| SHA1 | 279632b176b8327993508277aed94f7a3b25cd7e |
| SHA256 | 5b897d7abb7b4dc50acbd24025c72386032601783495bebbec16917525f5290a |
| SHA512 | 227343a735b6cf608417159a6930ca6918daacb2c8d638b926e4213a981774d1a8cced196f3e42ac5074a337899d286fd57db8a65eae664c7a998f5b4f91ab7d |
C:\Users\Admin\AppData\Local\Temp\9bda69bc-bcf6-440d-aff4-266b25210048.vbs
| MD5 | 615975efbfa7c6b8d5bcef61dd95901c |
| SHA1 | 0040c48d876158f450b6c664e920b9d6774f7bd8 |
| SHA256 | 223f1fb66cad726617eb253d425f6465debb2ea56b8086ca80ad0dded2c5bbb5 |
| SHA512 | ea3abbeb3ed770b94cb0ff5cac1b5139a40440b61538a71024dd0a814a36ebb307e49b84fd010dc719bdd6c90d28678cf304453895e215e31f37b76e602343a7 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log
| MD5 | 49b64127208271d8f797256057d0b006 |
| SHA1 | b99bd7e2b4e9ed24de47fb3341ea67660b84cca1 |
| SHA256 | 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77 |
| SHA512 | f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e |
memory/3560-188-0x000000001C140000-0x000000001C152000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3a4e92d7-3bfe-431a-9ae9-dd80f475584a.vbs
| MD5 | 73d4b760631179a8ee49ba0c8cf7bcbb |
| SHA1 | a04403601e1b1225b492790225a606b28eb9afdf |
| SHA256 | 40b213b92c3f97e1c4b4b0b278ce2d06cd6eee791ebe3d5d6e99202c1df94323 |
| SHA512 | 1ad3e375fca58b89403dfebb5022f58a346709a5d30c6ffe061f23dcf719ff5ea094d5bc809322b3d696e498c025c067b564bc86466232a25ad8487041b07a73 |
C:\Users\Admin\AppData\Local\Temp\d0c6bbe1-ac17-4767-ae4d-ec12e47da5b3.vbs
| MD5 | 8ce2f41a4956e1f8266869c7a077d588 |
| SHA1 | eba9896bc8d1a8478719d528042eaaece11dd4f1 |
| SHA256 | 9ff22db5efb24465f84041a78672a4e4e7d96a2e48cde27855e20d1cd99d6006 |
| SHA512 | 377a17d894aa58435a4a00978723b00c37aec60af32ef385c3abd072c13a5085f5a4bc3b0d3dd27ae3b979665917a1d7928822e208194c94175483d69aa3d7d3 |
Analysis: behavioral29
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win7-20241010-en
Max time kernel
105s
Max time network
161s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\reg.exe | N/A |
Xworm
Xworm family
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f3eedde12ec9a2f363c13d643bd2acdf.lnk | C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f3eedde12ec9a2f363c13d643bd2acdf.lnk | C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\migwiz\migwiz.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\f3eedde12ec9a2f363c13d643bd2acdf = "C:\\Users\\Admin\\AppData\\Roaming\\f3eedde12ec9a2f363c13d643bd2acdf.exe" | C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe | N/A |
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\migwiz\cryptbase.dll | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\system32\migwiz\$dpx$.tmp\job.xml | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\system32\migwiz\$dpx$.tmp | C:\Windows\system32\wusa.exe | N/A |
| File created | C:\Windows\system32\migwiz\$dpx$.tmp\642420f840596c40860c44d66c8db5b2.tmp | C:\Windows\system32\wusa.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" | C:\Users\Admin\AppData\Local\Temp\TOJNSR.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setupact.log | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setuperr.log | C:\Windows\system32\wusa.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TOJNSR.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\TOJNSR.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.dot\ShellEx | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.jpe\OpenWithList\ois.exe | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.mcl\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.mp1 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.M2TS\ShellEx\{e357fccd-a995-4576-b01f-234630154e96} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.rmf\AcroExch.RMFFile\ShellNew | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.ACCDTFile | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\accessthmltemplate\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.fnt | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.pch\PersistentHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\BriefcasePage | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.accde | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.java\PersistentHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.pptm\ShellEx\PropertyHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.rle | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.wav\OpenWithList | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.StoredProcedure.1\shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.lgn | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.rqy | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.ACCDCFile\CurVer | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Extension.14\shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Report.1\shell\Browse\ddeexec\application | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.3ga | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Table.1\shell\print\ddeexec | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.hxd | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.msstyles | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.thmx | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\7-Zip.tar\shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.AcroAXDoc.1 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Application.Reference\shellex\{000214F9-0000-0000-C000-000000000046} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.appref-ms | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.exp\PersistentHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\PersistentHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.rpc | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.wps\OpenWithList\winword.exe | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Application.14 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.WizardDataFile | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.RMFFile | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\BriefcaseMenu | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.cpl\PersistentHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.p7m | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.reg | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.xlsb\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Application.14\shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.tp | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.7\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.dwfx\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.ofs | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.wm\PersistentHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Query.1\shell\printto\ddeexec | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Table.1\shell\printto\ddeexec\ifexec | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.xlam\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{152DA466-C04C-4A4D-9707-0714DB744A7F} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{e49dde22-c999-4d57-86fe-6d6c610d4b94} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.asc | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.au\OpenWithProgIds | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.m4p\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.psd1 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.shtml | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XDPDoc\shell\Print | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{b3fd0790-e46d-44d8-a88c-fcd99771da5e} | C:\Windows\system32\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\migwiz\migwiz.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe
"C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe"
C:\Users\Admin\AppData\Local\Temp\hqicuj.exe
"C:\Users\Admin\AppData\Local\Temp\hqicuj.exe"
C:\Users\Admin\AppData\Local\Temp\TOJNSR.exe
"C:\Users\Admin\AppData\Local\Temp\TOJNSR.exe"
C:\Users\Admin\AppData\Local\Temp\MTHR7H.EXE
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.EXE"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
C:\Windows\system32\wusa.exe
wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp89A9.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"
C:\Windows\System32\migwiz\migwiz.exe
"C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9AE8.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA2A5.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC56.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB451.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBD27.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC4D5.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCEC4.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD643.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDEBB.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE743.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEFFA.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF892.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp973.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp116E.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp19C8.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\lxwtmq.exe
"C:\Users\Admin\AppData\Local\Temp\lxwtmq.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e0
C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
"C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp233A.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k reg delete HKCR /f
C:\Windows\system32\reg.exe
reg delete HKCR /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2A99.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | request-busy.gl.at.ply.gg | udp |
| US | 147.185.221.27:6728 | request-busy.gl.at.ply.gg | tcp |
| US | 147.185.221.27:6728 | request-busy.gl.at.ply.gg | tcp |
Files
memory/2736-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp
memory/2736-1-0x0000000000CB0000-0x0000000000CC2000-memory.dmp
memory/2736-8-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp
memory/2736-9-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp
memory/2736-10-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp
memory/2736-11-0x0000000000460000-0x000000000046A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hqicuj.exe
| MD5 | fc3d69ead4dc6937cf562c2b5d1408ae |
| SHA1 | 44505edcea4c345607598ce0515b63556a2a82c6 |
| SHA256 | cfa99c839bf42e81ab27402aec06b4e5578df2f64cc0179a210a1f9978633e3d |
| SHA512 | dd0df4636f90981d4743c8128e492970d146fab6a5358d9cc8fe08b0e9aa95b8fe0dd8c1a783599fa12862700464cc752d78020f8b8520418a83f18e3f09ef04 |
memory/2584-18-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp
memory/2584-17-0x0000000000B20000-0x0000000000BDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MTHR7H.EXE
| MD5 | 8964489afcdf25c4eef3aea0e0c9a872 |
| SHA1 | 656485b929fd67c26f733ba6e85525d76c8f9791 |
| SHA256 | 6b4840400cf2f697ce98a66af37497447278ffef8dcac35182726154146ea066 |
| SHA512 | 3ff73c9c910e1f30c9235501864e79d6ac4bc8fafbb62191edca0b4f5ad5c6a46efce9065c2cf169775b83954085d79d2cb45d6f4be8fdbb85a6163f98fecfab |
C:\Users\Admin\AppData\Local\Temp\TOJNSR.exe
| MD5 | 2311b53a8f1f01801307ea1bad548206 |
| SHA1 | 353e256310fdc375b88dc9f19aa3c261a3def500 |
| SHA256 | 489f90e56364468967a75b16b5db8771c46909ce790a08b9a82528da53a34c99 |
| SHA512 | 75f67a61e0ead274e0df537ea7585f23966fc3297a9a21884f94ad39437aa48215c5e5e1b0fee8894129819ce2fb77b47af41a939d2d52221fcae701856f6bb1 |
memory/2584-23-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp
memory/3000-31-0x0000000000A10000-0x0000000000A52000-memory.dmp
memory/2584-32-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp
memory/3000-40-0x00000000004F0000-0x0000000000506000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\32.cab
| MD5 | 9dda4db9e90ff039ad5a58785b9d626d |
| SHA1 | 507730d87b32541886ec1dd77f3459fa7bf1e973 |
| SHA256 | fc31b205d5e4f32fa0c71c8f72ee06b92a28bd8690f71ab8f94ff401af2228fe |
| SHA512 | 4cfecaaccd0f8f9e31690ff80cca83edc962e73861043fffded1a3847201455d5adca7c5ef3866c65e6e516205e67b2f31c8149aad5be1065c1eb586b013f86a |
C:\Users\Admin\AppData\Local\Temp\64.cab
| MD5 | 8cfa6b4acd035a2651291a2a4623b1c7 |
| SHA1 | 43571537bf2ce9f8e8089fadcbf876eaf4cf3ae9 |
| SHA256 | 6e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9 |
| SHA512 | e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685 |
C:\Users\Admin\AppData\Local\Temp\tmp89A9.tmp.bat
| MD5 | 7d181b412a405518da1a1729a609ef2a |
| SHA1 | 33a00ed7d9928aff76284e0d06cf97777f8262e3 |
| SHA256 | 9268bb44cbdf67f060b123c1c485580cc8b0ec7e79ca4a43619162a3ff359278 |
| SHA512 | 3374afc9d0b0c079df2c5e7540fdd5ff2689aad86704f00b6dbb971c1af58829fc9b9d4f1e49dc768f497fe4a93274c533155207bd240ae3b75224c5d2020179 |
C:\Users\Admin\AppData\Local\Temp\888.vbs
| MD5 | 8be57121a3ecae9c90cce4adf00f2454 |
| SHA1 | aca585c1b6409bc2475f011a436b319e42b356d8 |
| SHA256 | 35d7204f9582b63b47942a4df9a55b8825b6d0af295b641f6257c39f7dda5f5e |
| SHA512 | 85521f6cd62dd5bb848933a188a9ddb83dd7ae2c5f4a97b65ba7785c3d58dba27694c7df308f4cf0fdaaa8c55251ff14ed1632e315a16d8d0b15217bac381f72 |
\Windows\System32\migwiz\cryptbase.dll
| MD5 | 1deeaa34fc153cffb989ab43aa2b0527 |
| SHA1 | 7a58958483aa86d29cba8fc20566c770e1989953 |
| SHA256 | c3cfa6c00f3d2536c640f1ee6df3f289818628c0e290be2f08df2c330097158a |
| SHA512 | abbd5e28096a981a1d07a38bb1808fab590d78a890fc7960a86d8d9a1ae0c597eab655a2457d61afbfbce8c720965b89c1071759b819168b08058ee5be17dc86 |
C:\Users\Admin\AppData\Roaming\f3eedde12ec9a2f363c13d643bd2acdf.exe
| MD5 | f3eedde12ec9a2f363c13d643bd2acdf |
| SHA1 | 2d53fef1c7b2036d4c25097fe1d3d5276cff9cb8 |
| SHA256 | 63c8a594926959e99dbcaac2e4bdf923691373d432500ddc0572996bfb8e399e |
| SHA512 | 0f6f4ed01f591edb4565fd31169aebb3be2d2dec246459411c52db0c9c7168da4404d4657312c879980b524da6047d9a87b8a49bae5836bf40e9ebeb6f166a53 |
C:\Users\Admin\AppData\Local\Temp\Mason.exe
| MD5 | 47654744c80359c665fc217abaabf4ab |
| SHA1 | 1a134118f4814291e8c55d4ee9ad723959de3707 |
| SHA256 | 77c13653a4c452a3b72fc37cc151da4d5d5690cde11514018f4580df75c09152 |
| SHA512 | f73147521235ca4e607040f230712fc7f165533dd988c8ae03b387f21378466f1f86621f400e28fc86bb807616fcef4e20e3cc0b17012a6124b393506971c2dd |
C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.bat
| MD5 | 75afb9e4d2e6765b6f415a22303a47e6 |
| SHA1 | d190f7b28eba2f9c0b00f0e12d9a5f9d3ad1d448 |
| SHA256 | b82a6eb4775f97685c7fd45adcd16cbe4822f210103e3758734d17e0e342640b |
| SHA512 | 98ecfb719d99dee1e4c7bd5eb02105f4530fae9157f42c6fa427156681c1d47d78fd8cc67ec3feac1949d480efa75c1776ff58f43e26e3a7f92530ab27586f72 |
C:\Users\Admin\AppData\Local\Temp\tmp9AE8.tmp.bat
| MD5 | 04a6c21c9d582ea99b8b5cd85a6d5f1a |
| SHA1 | 6f45498e767eb8c7f9a57aaf625421fd054388d1 |
| SHA256 | ea900145d57481d8dffdb8f8f0e019cb3032a9f72aebf634326c2893ab45c9c6 |
| SHA512 | 21649c1118e5c7b059d3be9e3ea66e50b0ac53e6251fbb7c907d5189873437f84a461a18f4c251b17988da68ba10591237ae3d8f9b46be25f8ecaa1c5afcb1c8 |
C:\Users\Admin\AppData\Local\Temp\wl.jpg
| MD5 | 84bc45875eb60512e25dca16d4e5304d |
| SHA1 | 5965867a44a5809ad57eaaab978c698104103e34 |
| SHA256 | 52a9fd513a7085c8814e13e8f25a1ab7aade6c02ae387e745237dfa36d088f39 |
| SHA512 | df08663efbf471f4b1cedeac3c5e2af432e729008b02b14b31e9feac229bdd54ae76644c903cf56ecc87eabcab3c0f44f1296726e338645ccf148ef7d11a552a |
C:\Users\Admin\AppData\Local\Temp\tmpA2A5.tmp.bat
| MD5 | 7eb455ba5bdefc53264bfc669dac88ed |
| SHA1 | 9943e5c38268f3d8cf7cb560127656d950ef131e |
| SHA256 | dd7be95086e2daf41bb11f7f4550a2a75323a1ded74871434725ca5a0e5bf735 |
| SHA512 | 7d0eaf86045d3c886515f59f7eef2a9e83627fd42aa8a030f78930c0137752101ffe694cbbd16694d7649c3ec2bfb3f2430780ec010a486b5dbf3fc92eca20dd |
C:\Users\Admin\AppData\Local\Temp\tmpAC56.tmp.bat
| MD5 | 46434e596d4ec27e4b935ed0a038e201 |
| SHA1 | bb3239705f3e28c05c44e998a4d99addd59d29e9 |
| SHA256 | c0309b6a96991c5f4b0a5e95bfd9f273510a5f557f7285d81196ef81c20f43ed |
| SHA512 | 1087944acb2cb65a754e07cdefa9b80d0184db8e7626b83126182bfd6cf9c30ecec97dfcd07faa63d4a28d0d74ffbdf33452ff4f0081baa16536e159235c5afb |
C:\Users\Admin\AppData\Local\Temp\tmpB451.tmp.bat
| MD5 | d930a0a6c1232d7972e1dba07087196e |
| SHA1 | e246c0a7eecdd07c62756f9194bff8ff7c858719 |
| SHA256 | 93598c8dabe3cc54c4c99896eedeb23a3442d7907a2fdb1fb832d43a8475a7ed |
| SHA512 | b4510696600c1f383573984f080216be5aa7e9c4f013819d5b6dcef716b0c0abac64f3c094e264bd8f7693f6ac7df0283fb52a578333d0fc17b2ca3b36b772cd |
C:\Users\Admin\AppData\Local\Temp\tmpBD27.tmp.bat
| MD5 | 74e08567a1c6f24621efb27699b1af80 |
| SHA1 | 27f33524333a8bcbe9d340b33c2cbb2e9c8151f3 |
| SHA256 | 9cf12ef3b2b4057eb9bea80746ccbbcd4882514175bc0a148c3f35e7cb53d8ac |
| SHA512 | 5324ed509201589096c48bf2f4a57810e1c19cadec4fd262c10011a0304e7d8c4c7dcea08d31d979fab47ecb578f54c5408d9b4e2b59217636d83f4cb3bef0d4 |
C:\Users\Admin\AppData\Local\Temp\tmpC4D5.tmp.bat
| MD5 | 2be7ef1287b458d099d669fb3f0caa7d |
| SHA1 | ed7f3b4f904fbfa45ec90ee19faf818901863083 |
| SHA256 | ededffd5838446a007f2288c53c3aa4ae53573fb0003ad4fa332b329b26565fa |
| SHA512 | 9eb0b528bdb4182030bc124498061fe5e834d6dbf56511d1069e033077f625e903ab712ea673ee31339408964dd23819d13177b9dac248e8e88cbacbcd534311 |
C:\Users\Admin\AppData\Local\Temp\tmpCEC4.tmp.bat
| MD5 | 858a9d3b8f4b5b48851aa6e3dab43753 |
| SHA1 | ccffa637de941175c5b401ac0c1322ee73715622 |
| SHA256 | 59a5fc752d3bd70716ec61c0abd8dfa43186dd96eaaf504642427af8885012c8 |
| SHA512 | 3678a57be6a4a65aca887fbb7f104bd48548153bed7f034794231022c8725f935ed4737024703b3f834b12f779f149f5db923612ba0ce76643ec01ae8930b730 |
C:\Users\Admin\AppData\Local\Temp\tmpD643.tmp.bat
| MD5 | e2b94afb7f92cdc87d9a3b81a38e51c3 |
| SHA1 | ad13fe266322935e619ede02f757b5c23e0d3189 |
| SHA256 | c5e7b730c86132bfbab8a34bf262ebfaba5e658d5437028d2274de8fe295cebf |
| SHA512 | 596b31f81da0dc9d659ebc6f0de005a7f09d5abe3023c7499578de1ce3768517a8bf734d5773b2968de00a04bd0f07a0ba618cc6cb50244fbd73de3a5ad7d295 |
C:\Users\Admin\AppData\Local\Temp\tmpDEBB.tmp.bat
| MD5 | 42fb1292919446f13e66a67dc5e58c5b |
| SHA1 | 46bbaa07c8a185579973f8147fd8fb36ebad18d1 |
| SHA256 | 7074dfe5b2df3a88786ae9fb1ebce9a7eb30ddbc3f68efa6140de3b07d8c5459 |
| SHA512 | fb1d29efed6ccfbfc41e70d159b7142e61ce2a9657bb89de56974658da9ef8b9eb15075357498d7eaa8937d59570e705c582e3ad381f00238efa9d6449502a62 |
C:\Users\Admin\AppData\Local\Temp\tmpE743.tmp.bat
| MD5 | 481882c10556b0aeb38df9c8a1e9beaf |
| SHA1 | 1542de340c428da04df0874ba8be9ea69bdf8ac1 |
| SHA256 | 397d7e55332ec69f906e93def4e5a37f007e596fa94f75a4db331648529df577 |
| SHA512 | 56650ce2155458ddd9d94ef2660adc85fde1fc479e0c5da96a5a9b10f04cef995a22529175abca6ea867060ba3e3549b56110ac42df291ad2aee1bc1078bddb7 |
C:\Users\Admin\AppData\Local\Temp\tmpEFFA.tmp.bat
| MD5 | c76799c3a6355b10bc48bae55cb76c7d |
| SHA1 | 3b4f8fa991396be84b561bee4adcc0c97522efa8 |
| SHA256 | b793553e8ee8cc4193cc3488c77ee8b93586557a564757fac57bf8567a434ebd |
| SHA512 | daf69e51bb8141517b0ad4fbd7e56c67e04b7eccfc31bbb02bafda02e25ffc402b6d771c166d6c858423c3b1e78777130f2a5d8b3d5b5ed98dadba9683a6454a |
C:\Users\Admin\AppData\Local\Temp\tmpF892.tmp.bat
| MD5 | 583b041bc62af52f49baaba0a0ab5a70 |
| SHA1 | 8bed1c469ec9fda31ea5f76e7f170b9c456cf98d |
| SHA256 | 6ac3bd43477f5071b5266d578ace0a37803642ede93d92450b1662fb5227d16d |
| SHA512 | c454487cf11d02863e878ea8fbdada4e623b224445a85e1245a4d13fb0942617d901502ce73d28662d7a340912b8a296963804ac391a1161d3f69b3b3c94e4ca |
C:\Users\Admin\AppData\Local\Temp\tmpAC.tmp.bat
| MD5 | 1637428d5fae8f585f9aef2f614ae95a |
| SHA1 | eb59dc472c9ca4efe0ae551e5a99a8d0a56a722d |
| SHA256 | f0934cc866feae93af549f942a2a967a473e1ff6ee37720892fa99837ddbcfb9 |
| SHA512 | a5fc57c7c2113335b4a960678bcb5089cbe09fa60cc78d136e98916b22b8aa4540f3e27781b473775b94a61280c64864d325576b4b063041a807b8a4c66907bc |
C:\Users\Admin\AppData\Local\Temp\tmp973.tmp.bat
| MD5 | a8fac7da80cd807af63fedbf5bfd128b |
| SHA1 | af62efa61b7b02faed574d4235ffafeaf9a3fa42 |
| SHA256 | 24aafb996dfa3873cb5998afd9420ff52cf03df129c702cabf397ebe7f072a13 |
| SHA512 | 093ff9f7b96cc9eb7900ab181b44e16db1f6aca39ae3f4f52238578f3571904dd26ce6e621378423aeeb269cc2fcfbf128ac201a3bb6ed8315c8ef2aaf16400d |
C:\Users\Admin\AppData\Local\Temp\tmp116E.tmp.bat
| MD5 | 8230951f57891ad67ef2efba14eb40f1 |
| SHA1 | 9037ea4e5d6a40b0a08c9924e71ea5200ad0efc7 |
| SHA256 | 1c6499c2180415a75f75f9c2a9b9d7d433325e24241054e40f97db994729337a |
| SHA512 | 1aaf2d7417ac0d998e43df048027efe82ab404e6297471bdeb40c0e04a8cf08a04ce06f2a296c0774a64606ce177c8ac02d7bca22ce2dbd33c7305c52da95346 |
C:\Users\Admin\AppData\Local\Temp\tmp19C8.tmp.bat
| MD5 | 7fa396d225cea01ad0c10a59716e6f5a |
| SHA1 | f79e84911fa5e44ebf0fdc744eae8f6d9200f111 |
| SHA256 | 03eabcf858bf5e7eff9c0dcbcdb1f418f533570b623ac8c16a046b43cc9b0496 |
| SHA512 | 3151bec71dfcdc3a99a623e0a45db8a0b4dae72033a8ce8ff00858b6ab2287676ff23d05ada124d9c5ba239a8b2dea7ea216722b53470e7b33073abb93e6628f |
C:\Users\Admin\AppData\Local\Temp\lxwtmq.exe
| MD5 | 7acf2bc6384803884953d14c1a87a15d |
| SHA1 | 417a34f43f2bcde6d876459d35da80bf82411e99 |
| SHA256 | 59392a4c8e1e305e59a9b3b051c7b8488045d81a2c6b695dbf78c30c05d05b18 |
| SHA512 | ce44f9fa8524ea93d605afe1fc5320bfd6e611fd2de5c321bb041adea085ee00c87267ab8cae6bfe67168a8795d983c7371bde6f7a55699ffa29f5076cddfbbd |
memory/2296-374-0x0000000000910000-0x000000000091A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp233A.tmp.bat
| MD5 | 74b1e64757410ff268a3159e9eef8385 |
| SHA1 | fbb262896180ea0054b6438320b2e56f7b56ec33 |
| SHA256 | 8472677c4bc28b5cba7ffa75756bdb5e035225d6e20dfd83f5aeb4bc3df86565 |
| SHA512 | 0f5bdf93fb771f0c45928dc9cb863796ebd6fe4d9cf69395b31bc40b5e9750100810faa8ebc6c219b679c8ba6ca745f9befc7167b1ba89d34555360614e8539c |
C:\Users\Admin\AppData\Local\Temp\tmp2A99.tmp.bat
| MD5 | fdca5243bcc2467221476f7c40798cb6 |
| SHA1 | 5ad759584ab9bb4d63a5a7ef82ed4da033b80127 |
| SHA256 | 0f93bf1996a2f7eecdce0b6c6661c281d414a4bdba3e2ec5ad552f89904c64b1 |
| SHA512 | e7c894403cfd47f81eda2e45b2b4135cb66219d27783bfd5b243c42247321d63e5131209da887252f33efbfb2550742607ffc396e5053a9f0cc6cf48bf759f67 |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:40
Platform
win7-20240729-en
Max time kernel
134s
Max time network
145s
Command Line
Signatures
NanoCore
Nanocore family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2259737b967bbe88fc74916f319c61a.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" | C:\Users\Admin\AppData\Local\Temp\f2259737b967bbe88fc74916f319c61a.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1676 set thread context of 1072 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f2259737b967bbe88fc74916f319c61a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f2259737b967bbe88fc74916f319c61a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f2259737b967bbe88fc74916f319c61a.exe
"C:\Users\Admin\AppData\Local\Temp\f2259737b967bbe88fc74916f319c61a.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "PCI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7281.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 23.192.18.101:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
| SE | 91.236.116.142:5888 | tcp | |
| SE | 91.236.116.142:5888 | tcp | |
| SE | 91.236.116.142:5888 | tcp | |
| SE | 91.236.116.142:5888 | tcp |
Files
memory/2328-0-0x0000000074091000-0x0000000074092000-memory.dmp
memory/2328-10-0x0000000074090000-0x000000007463B000-memory.dmp
memory/2328-11-0x0000000074090000-0x000000007463B000-memory.dmp
memory/2328-12-0x0000000074090000-0x000000007463B000-memory.dmp
memory/2328-13-0x0000000074090000-0x000000007463B000-memory.dmp
memory/2328-14-0x0000000074090000-0x000000007463B000-memory.dmp
\Users\Admin\AppData\Roaming\app.exe
| MD5 | 48a244f299f720f0559a0c3a54f18506 |
| SHA1 | 53dfb58ddb0c7a668321e5aaf0fd0631bb902752 |
| SHA256 | 0f74f15a37da31a1bf653246d7dd8b15bb9512619a7981b9c83deb5b1c9c3c66 |
| SHA512 | 49078e212d514ea47b920f1c304b47cb21889fd9639c444439cc9bb79994b91a53f1384c2b1f27ade357a3a76d1303f4369e0de09016a7b139efb5c1f4fdb14e |
memory/2328-32-0x0000000074090000-0x000000007463B000-memory.dmp
memory/1676-33-0x0000000074090000-0x000000007463B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabA860.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b81f473c0c59b47638ae052feb200e17 |
| SHA1 | 257152dac2f6c6ab0259a6becee9e37361e516d6 |
| SHA256 | c6d7c9aa8e29ae7a0f33616283462dfe2997fd237111ab138827fbf232635c62 |
| SHA512 | c50488285b97515ab52f789d1b581ce6f00495d926422c14a94c5a82348cee7127a49b2b870c3185b043b0144841ade514ba05a686c907f6c1ed057d695369c3 |
memory/1676-34-0x0000000074090000-0x000000007463B000-memory.dmp
memory/1676-46-0x0000000074090000-0x000000007463B000-memory.dmp
memory/1676-45-0x0000000074090000-0x000000007463B000-memory.dmp
memory/1676-47-0x0000000074090000-0x000000007463B000-memory.dmp
memory/1072-59-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1072-63-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1072-61-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1072-57-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1072-55-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1072-53-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1072-51-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1072-49-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1676-64-0x0000000074090000-0x000000007463B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7281.tmp
| MD5 | d81eb43d26d4511c44151cba2eb45983 |
| SHA1 | 135c98e039c6ab35d4e9564f15f9c56dc9dbeb9a |
| SHA256 | a72a8f6434d6b0fb904db5adc8cab891d12c53b4ac1435dfd13df51f84a2d4d0 |
| SHA512 | b5895c19159d23a8fa312967e47d0855ac6f8f314f8931f54469b0c0079a22e9e00a5eaf6729761f74d54e111454d49813e658243e920a9c3434a5576cdda721 |
Analysis: behavioral32
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win10v2004-20250314-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Njrat family
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f3ef636642aed1dd87c2fc6ee6307e36.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f8635990ea5e4f2c51d6306732973d.exe | C:\Users\Admin\AppData\Roaming\discord.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f8635990ea5e4f2c51d6306732973d.exe | C:\Users\Admin\AppData\Roaming\discord.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\discord.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\08f8635990ea5e4f2c51d6306732973d = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord.exe\" .." | C:\Users\Admin\AppData\Roaming\discord.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\08f8635990ea5e4f2c51d6306732973d = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord.exe\" .." | C:\Users\Admin\AppData\Roaming\discord.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3ef636642aed1dd87c2fc6ee6307e36.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\discord.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3004 wrote to memory of 5004 | N/A | C:\Users\Admin\AppData\Local\Temp\f3ef636642aed1dd87c2fc6ee6307e36.exe | C:\Users\Admin\AppData\Roaming\discord.exe |
| PID 3004 wrote to memory of 5004 | N/A | C:\Users\Admin\AppData\Local\Temp\f3ef636642aed1dd87c2fc6ee6307e36.exe | C:\Users\Admin\AppData\Roaming\discord.exe |
| PID 3004 wrote to memory of 5004 | N/A | C:\Users\Admin\AppData\Local\Temp\f3ef636642aed1dd87c2fc6ee6307e36.exe | C:\Users\Admin\AppData\Roaming\discord.exe |
| PID 5004 wrote to memory of 1584 | N/A | C:\Users\Admin\AppData\Roaming\discord.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 5004 wrote to memory of 1584 | N/A | C:\Users\Admin\AppData\Roaming\discord.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 5004 wrote to memory of 1584 | N/A | C:\Users\Admin\AppData\Roaming\discord.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f3ef636642aed1dd87c2fc6ee6307e36.exe
"C:\Users\Admin\AppData\Local\Temp\f3ef636642aed1dd87c2fc6ee6307e36.exe"
C:\Users\Admin\AppData\Roaming\discord.exe
"C:\Users\Admin\AppData\Roaming\discord.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\discord.exe" "discord.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
| US | 8.8.8.8:53 | disha2024.ddns.net | udp |
Files
memory/3004-0-0x0000000074F52000-0x0000000074F53000-memory.dmp
memory/3004-1-0x0000000074F50000-0x0000000075501000-memory.dmp
memory/3004-2-0x0000000074F50000-0x0000000075501000-memory.dmp
C:\Users\Admin\AppData\Roaming\discord.exe
| MD5 | f3ef636642aed1dd87c2fc6ee6307e36 |
| SHA1 | 72e007f5a29963808e9fdcfecdf2024838373d43 |
| SHA256 | d04269233c1dae486565f17a4e83c5f89463e8f070d1e91a2c9f736278bbb62f |
| SHA512 | 24af2746679a052e7842e5ab46007c470349163fa97e6e485b49b9d8e7eb8e9720b97e84b6b21f085b7f16868607110cb51ee93e2730703a153fe105ce912560 |
memory/5004-14-0x0000000074F50000-0x0000000075501000-memory.dmp
memory/3004-13-0x0000000074F50000-0x0000000075501000-memory.dmp
memory/5004-12-0x0000000074F50000-0x0000000075501000-memory.dmp
memory/5004-16-0x0000000074F50000-0x0000000075501000-memory.dmp
memory/5004-17-0x0000000074F50000-0x0000000075501000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-22 06:18
Reported
2025-03-22 06:41
Platform
win10v2004-20250314-en
Max time kernel
134s
Max time network
146s
Command Line
Signatures
NanoCore
Nanocore family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f2259737b967bbe88fc74916f319c61a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" | C:\Users\Admin\AppData\Local\Temp\f2259737b967bbe88fc74916f319c61a.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5480 set thread context of 3544 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f2259737b967bbe88fc74916f319c61a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f2259737b967bbe88fc74916f319c61a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f2259737b967bbe88fc74916f319c61a.exe
"C:\Users\Admin\AppData\Local\Temp\f2259737b967bbe88fc74916f319c61a.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCF13.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| SE | 91.236.116.142:5888 | tcp | |
| SE | 91.236.116.142:5888 | tcp | |
| SE | 91.236.116.142:5888 | tcp | |
| SE | 91.236.116.142:5888 | tcp |
Files
memory/5484-0-0x0000000075152000-0x0000000075153000-memory.dmp
memory/5484-1-0x0000000075150000-0x0000000075701000-memory.dmp
memory/5484-2-0x0000000075150000-0x0000000075701000-memory.dmp
memory/5484-5-0x0000000075150000-0x0000000075701000-memory.dmp
memory/5484-6-0x0000000075150000-0x0000000075701000-memory.dmp
memory/5484-7-0x0000000075152000-0x0000000075153000-memory.dmp
memory/5484-8-0x0000000075150000-0x0000000075701000-memory.dmp
C:\Users\Admin\AppData\Roaming\app.exe
| MD5 | 03fec9db45b4e2b6bd119629c62afeed |
| SHA1 | f9e3d4f4c5142b8e9e62d876fb1d75022059936e |
| SHA256 | f27c4963784ed1d311afd03bdfbe000f499b67edd16c4af85d34e547b892ca29 |
| SHA512 | f30c2d7bb2201b9f78c5c23bcad35a04bad30a23b32e8bba006b9fb4ac453476d303109802c5799d60c813d7e942f3f38f336075d9709af0c02daadf8762cd7c |
memory/5484-30-0x0000000075150000-0x0000000075701000-memory.dmp
memory/5480-32-0x0000000075150000-0x0000000075701000-memory.dmp
memory/5480-31-0x0000000075150000-0x0000000075701000-memory.dmp
memory/5480-34-0x0000000075150000-0x0000000075701000-memory.dmp
memory/5480-33-0x0000000075150000-0x0000000075701000-memory.dmp
memory/5480-35-0x0000000075150000-0x0000000075701000-memory.dmp
memory/3544-40-0x0000000075150000-0x0000000075701000-memory.dmp
memory/3544-41-0x0000000075150000-0x0000000075701000-memory.dmp
memory/3544-39-0x0000000075150000-0x0000000075701000-memory.dmp
memory/5480-43-0x0000000075150000-0x0000000075701000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCF13.tmp
| MD5 | d81eb43d26d4511c44151cba2eb45983 |
| SHA1 | 135c98e039c6ab35d4e9564f15f9c56dc9dbeb9a |
| SHA256 | a72a8f6434d6b0fb904db5adc8cab891d12c53b4ac1435dfd13df51f84a2d4d0 |
| SHA512 | b5895c19159d23a8fa312967e47d0855ac6f8f314f8931f54469b0c0079a22e9e00a5eaf6729761f74d54e111454d49813e658243e920a9c3434a5576cdda721 |
memory/3544-47-0x0000000075150000-0x0000000075701000-memory.dmp
memory/3544-48-0x0000000075150000-0x0000000075701000-memory.dmp
memory/3544-49-0x0000000075150000-0x0000000075701000-memory.dmp