Malware Analysis Report

2024-11-13 16:31

Sample ID 240510-kq3lwade3v
Target d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
SHA256 d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a
Tags
zgrat execution persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a

Threat Level: Known bad

The file d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe was found to be: Known bad.

Malicious Activity Summary

zgrat execution persistence rat spyware stealer

Zgrat family

ZGRat

Process spawned unexpected child process

Modifies WinLogon for persistence

Detect ZGRat V1

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 08:49

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Zgrat family

zgrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 08:49

Reported

2024-05-10 08:51

Platform

win7-20240221-en

Max time kernel

117s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\images\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\images\\lsass.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

ZGRat

rat zgrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Internet Explorer\\images\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Internet Explorer\\images\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSCC7342BD0AB83449798BDF4D7E673BB8.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\ickr0a.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\images\lsass.exe C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
File created C:\Program Files\Internet Explorer\images\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
File created C:\Program Files\Internet Explorer\images\lsass.exe C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2304 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2304 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2432 wrote to memory of 2964 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2432 wrote to memory of 2964 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2432 wrote to memory of 2964 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2304 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\cmd.exe
PID 2304 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\cmd.exe
PID 2304 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\cmd.exe
PID 2888 wrote to memory of 2488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe

"C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tctylovi\tctylovi.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1767.tmp" "c:\Windows\System32\CSCC7342BD0AB83449798BDF4D7E673BB8.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\images\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\images\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8ad" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8ad" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1O6MylLMzZ.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 956330cm.n9shteam2.top udp
US 104.21.90.190:80 956330cm.n9shteam2.top tcp
US 104.21.90.190:80 956330cm.n9shteam2.top tcp

Files

memory/2304-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

memory/2304-1-0x0000000000BB0000-0x0000000000D96000-memory.dmp

memory/2304-2-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2304-3-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2304-4-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2304-6-0x0000000000520000-0x000000000052E000-memory.dmp

memory/2304-9-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2304-8-0x0000000000B60000-0x0000000000B7C000-memory.dmp

memory/2304-18-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2304-19-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2304-17-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2304-16-0x0000000000540000-0x000000000054C000-memory.dmp

memory/2304-14-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2304-21-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2304-13-0x0000000000530000-0x000000000053E000-memory.dmp

memory/2304-11-0x0000000000B80000-0x0000000000B98000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe

MD5 1d61e62339d38ca2a129710265c26a89
SHA1 185c34e0d555ac3fdf7fefd1732409e65b6aedaf
SHA256 d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a
SHA512 0b8a081cadf7f8edb64ef2293a0f6df02526904082ae282888dbec5497874ed1e4435f8e61751720345d155a452ba0d55fdd3b1dac66ed8e6e6887e2e6a62f9b

\??\c:\Users\Admin\AppData\Local\Temp\tctylovi\tctylovi.cmdline

MD5 884f38b3a0cd76b4dbbf1d3db3395d0e
SHA1 94d70a14e3168d693fe2451c4f402779d95eeda0
SHA256 a6ea1498937116cebfedf78310a40535d3f3d20e462d4c308c69fbf04b26d505
SHA512 49c5fb3d8d3f095e31dd3671a523fa2d7bd93fd4719b6b01de8a6d9018d87f03949c3230c37bec539141848aeeccd84bbe6e1dc4a46a3811aa5b5d7ff033aa05

\??\c:\Users\Admin\AppData\Local\Temp\tctylovi\tctylovi.0.cs

MD5 d433f57cb16fad1de3e65a1a3d19a02a
SHA1 a386469d2b4bbcbbdc2b41bbe8a152dc106f5766
SHA256 785659ebfc0aad23778467b5cdd0b91b657231cb89f5ce9403cc424c577cd36f
SHA512 aae8e4efc86da92c264bf55bbf47c70bfe19051f85342e7ca049a4daed545dedb8bb7a581cb86a7f159498dfe94352d9fbf16ff20b5d0136e26a63082e426f98

\??\c:\Windows\System32\CSCC7342BD0AB83449798BDF4D7E673BB8.TMP

MD5 3ffa0b85adc175bc535d5b61b093b6a5
SHA1 7fa7715f9f18aa1d9edc45935ca867602fa37894
SHA256 f05ea17245f2e54aa3b2a0a8ede3f86af5fb4e4f0cf0a6aa69c4e95103304d46
SHA512 d1034200ad1232d7e36d3d867e701357c9eb8e8ad063743deceb563b24eb099e6ea660e38099cf161c12c97fe11cf6b044a31846949d63d4a121f1692c9e6fde

C:\Users\Admin\AppData\Local\Temp\RES1767.tmp

MD5 134d2929e5653c4dbe3d324d5afddf5b
SHA1 031492bafd5ce3987577548a75eaa223d2498641
SHA256 1fcb0f4805c33dd9fd87b80e0de9edb5a7a90b428692061a04b2266cb4814fae
SHA512 433cdc242f0acbf4bdbc2d05fd005a269d3eaf69c93fc78e30162d4abc974c64c3b2237b5a85bd8659a8c8b9fdd5017edbd46ffd8bb807feb424b217c4f9ce6d

memory/392-60-0x0000000002950000-0x0000000002958000-memory.dmp

memory/392-56-0x000000001B530000-0x000000001B812000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A6UWJY0TVQXFKUFNOTNF.temp

MD5 fbbcf1d6a8ee55636f119571bdfea06a
SHA1 f13590fd03ad6558eace642d481cb7c800ffac80
SHA256 84d0e63e65ceab0b00a98a4cd35e86ab4b851f5224cee44acc99488888e3b9b3
SHA512 835e994c4997e30382150ea17ebca18ff6e44129113ca03e42763f99859bb313b6aa206141d30a1bb0c87970e8d75dc9a550df6105264803ffb11052c2b42fa4

memory/2304-48-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1O6MylLMzZ.bat

MD5 61407c5babd2742b2cd0b33f36ea3377
SHA1 54ab354b8d5562c0f9416e95fc6dd2678e76e51d
SHA256 d3020412577b3bd3a94cfadd62a741590a11c09bc2bd0bdc63b0c3b7849e2dd0
SHA512 1b3d27ab69b38e21b97c9a1cbcfced141cbd807e147d3b090d9c0f7bf244a02e7f279aa10d1edce7c728f64ece8365d24530d4ee2c5ab5d15e6d6ccb9ba356ba

memory/2872-140-0x0000000000960000-0x0000000000B46000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 08:49

Reported

2024-05-10 08:51

Platform

win10v2004-20240508-en

Max time kernel

129s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\Accessories\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\Accessories\\backgroundTaskHost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\Accessories\\backgroundTaskHost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\Accessories\\backgroundTaskHost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\", \"C:\\Windows\\ShellExperiences\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\Accessories\\backgroundTaskHost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\", \"C:\\Windows\\ShellExperiences\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\Accessories\\backgroundTaskHost.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\", \"C:\\Windows\\ShellExperiences\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\dwm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a = "\"C:\\Recovery\\WindowsRE\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a = "\"C:\\Recovery\\WindowsRE\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\ShellExperiences\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Windows NT\\Accessories\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Windows NT\\Accessories\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\ShellExperiences\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSCA09DAC8CC6AA49DDA5763341A02982CF.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\jpzkqk.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\Registry.exe C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
File created C:\Program Files\7-Zip\Lang\dwm.exe C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\Registry.exe C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
File created C:\Program Files\7-Zip\Lang\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
File created C:\Program Files\Windows NT\Accessories\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
File created C:\Program Files\Windows NT\Accessories\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC21A2CD3B4268444EAE253384FE9B0E7.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ShellExperiences\services.exe C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
File created C:\Windows\ShellExperiences\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\Lang\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4924 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1200 wrote to memory of 2632 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1200 wrote to memory of 2632 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4924 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4924 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4404 wrote to memory of 4588 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4404 wrote to memory of 4588 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4924 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\cmd.exe
PID 4924 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe C:\Windows\System32\cmd.exe
PID 4716 wrote to memory of 6068 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4716 wrote to memory of 6068 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4716 wrote to memory of 5616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4716 wrote to memory of 5616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4716 wrote to memory of 6080 N/A C:\Windows\System32\cmd.exe C:\Program Files\7-Zip\Lang\dwm.exe
PID 4716 wrote to memory of 6080 N/A C:\Windows\System32\cmd.exe C:\Program Files\7-Zip\Lang\dwm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe

"C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\utdo2mok\utdo2mok.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF09A.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC21A2CD3B4268444EAE253384FE9B0E7.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ouu42bpv\ouu42bpv.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF107.tmp" "c:\Windows\System32\CSCA09DAC8CC6AA49DDA5763341A02982CF.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8ad" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8ad" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellExperiences\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8ad" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8ad" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\backgroundTaskHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\Registry.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A0BkazGqVh.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4016,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:8

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\7-Zip\Lang\dwm.exe

"C:\Program Files\7-Zip\Lang\dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 956330cm.n9shteam2.top udp
US 172.67.159.202:80 956330cm.n9shteam2.top tcp
US 172.67.159.202:80 956330cm.n9shteam2.top tcp
US 8.8.8.8:53 202.159.67.172.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/4924-0-0x00007FF8AE5C3000-0x00007FF8AE5C5000-memory.dmp

memory/4924-1-0x0000000000580000-0x0000000000766000-memory.dmp

memory/4924-2-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

memory/4924-3-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

memory/4924-5-0x000000001B220000-0x000000001B22E000-memory.dmp

memory/4924-6-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

memory/4924-8-0x000000001B3B0000-0x000000001B3CC000-memory.dmp

memory/4924-9-0x000000001B760000-0x000000001B7B0000-memory.dmp

memory/4924-11-0x000000001B3D0000-0x000000001B3E8000-memory.dmp

memory/4924-13-0x000000001B230000-0x000000001B23E000-memory.dmp

memory/4924-16-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

memory/4924-15-0x000000001B240000-0x000000001B24C000-memory.dmp

memory/4924-17-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

memory/4924-19-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

C:\Program Files\Windows NT\Accessories\backgroundTaskHost.exe

MD5 1d61e62339d38ca2a129710265c26a89
SHA1 185c34e0d555ac3fdf7fefd1732409e65b6aedaf
SHA256 d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a
SHA512 0b8a081cadf7f8edb64ef2293a0f6df02526904082ae282888dbec5497874ed1e4435f8e61751720345d155a452ba0d55fdd3b1dac66ed8e6e6887e2e6a62f9b

memory/4924-30-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\utdo2mok\utdo2mok.cmdline

MD5 0fc1ec48c35d83c61aa2bee098da0a1c
SHA1 bc9de30af0cd1f95fb2a4494559fac30a081cae3
SHA256 c8897fb9080489767559aeb96ab43858971fe8b641369f5a6542670a56065721
SHA512 741ff9194570bf1477916e00b8bd3a04639ecd63dcf92a78e6ff98fb72277ab93e2673884779e34c780d567484cec77d055d0341e6bdc4945316dc9266b27f5e

\??\c:\Users\Admin\AppData\Local\Temp\utdo2mok\utdo2mok.0.cs

MD5 26288caec42fbc99b21b59b0ee75a248
SHA1 5c4eb0b637933643e4cf7658fa432bd54f8405fd
SHA256 3046aa03c92c5e6f30ebb2c65c81178f66ee3b22d6584c99dc0cee22d20b5969
SHA512 2766d63710e714b0cc31d0b93b8ae97fa4adc43900bc56a99fbdcf14a09b08fdccd694580845f1fedd526d4f5627dd169f08fb9795292ecadaa02dfdeb2bc1d4

\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC21A2CD3B4268444EAE253384FE9B0E7.TMP

MD5 b5189fb271be514bec128e0d0809c04e
SHA1 5dd625d27ed30fca234ec097ad66f6c13a7edcbe
SHA256 e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f
SHA512 f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

C:\Users\Admin\AppData\Local\Temp\RESF09A.tmp

MD5 5f0a4d757269048af60bdb7054568d5e
SHA1 0e8f815bde12d82528c3aa35fcb195eace4a395e
SHA256 0e7104239bea483b76e44a9f9b3f50cab920ac777e248ae68056f6a6452e8b62
SHA512 8426bc715ae4be121044cda5cb9c41406167fc850066e6e57f8ca39cb27b792588d7c9b842acbcce75a34416ae20bcb6f0ba465f53f561a7d52f89c18033ab11

\??\c:\Users\Admin\AppData\Local\Temp\ouu42bpv\ouu42bpv.cmdline

MD5 e0d2da3193f1192fd7ae3859651856bb
SHA1 227e0f13d1e9537008f1b3b7bff861ab924f7a1c
SHA256 7682c5908781a4d0df630ccf37e55b74ece21bc8e52432d62040b8de431f89f8
SHA512 bbbc9942be77a540e8c0bd710e6e92ae8ab14b8bafc74c612a9b58606e5739f78ba3e86a100a98514718da50c8b5428239f680a3001c3735d709e747569d3950

\??\c:\Users\Admin\AppData\Local\Temp\ouu42bpv\ouu42bpv.0.cs

MD5 5006f84a007ef910f7b177140b92c459
SHA1 e7c759424f8136b134119eb816e024db63b1e61b
SHA256 6860aa6d2a222628b151063a1d860653c9946a9181ee9bbd0429425e538a13ce
SHA512 0e512b523e3844a455f966f561475a3453da33ebf8f4da2bd55b17db25a5561248e5344f9f50ff178a8a8ceeb15627934e9b47bc2f36d575ef15481da76fc602

\??\c:\Windows\System32\CSCA09DAC8CC6AA49DDA5763341A02982CF.TMP

MD5 01dc60b32f9121b11b30ff8d8e3ed9bd
SHA1 d4c7beabbb4b96239ff85348a9cd1957a10c27ab
SHA256 bbedf7b9680a97b0ebd09540310951791296334e7d8a3056b73ad564c55556ea
SHA512 0bc2dfe0549f8f0fc70c68df1fc61abf21f0c05954220ab1df7375d15f9a4d332cdccb5aefdef705a88f801c9e5e792815287f27674263db7dcb6a2f086429be

C:\Users\Admin\AppData\Local\Temp\RESF107.tmp

MD5 ed70c8b4e225b3da41f58fc37c256c1c
SHA1 2df462f4482ae45f9d2f13ffe1e8563634c333ce
SHA256 9907cac8700cc60788493241fcc72f0754860372396c69ccf97b872754d20a16
SHA512 edeca50d97791acbe28fe069c086c2e35dd52d19203e00bfc5ebc36ed4607f52f314fc27c7d5100f4ebc1de569a61e30c711bcc274620d836888af858eea5114

memory/4924-60-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

memory/4856-61-0x000001666C700000-0x000001666C722000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eym1l5c4.xwf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 1bd78f0a0af82769f6fc1c996573538f
SHA1 639f1d920d25381f5f230f50c8f73e918ab6bb6a
SHA256 e11149b8c7f71fbea49edde0d7ab6900b5e1db6a3250748cdd9b13200b88794b
SHA512 5fbba7e148730ac2bd63a086f167f93f246ccddbfdd03269182eb5e20b1494fe266fb2a84a3d40d19913242ffacace8ed7979f207b49ee09be265d42caa27424

C:\Users\Admin\AppData\Local\Temp\A0BkazGqVh.bat

MD5 d8ffe0dfa9a1e2c7b24afc89dcdbfc42
SHA1 c43d2c8bf4fc94b48df4d846ee4017b4274fdab6
SHA256 91a0204666218de7c3a9391927cc45f64e1fbec86f9b0919bf339ec5091e4faa
SHA512 72a5b3ac0bf13ad43f182049e18ea797c1d4bdfe6ec257e4746eb43725af91c96b6e0de42cca944b90f10433d537a6d98ba53cbef4c3041baf1ab38ffc2d1a60

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c47b3f4e68eebd47e9332eebfd2dd4e
SHA1 67f0b143336d7db7b281ed3de5e877fa87261834
SHA256 8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA512 0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6