Malware Analysis Report

2024-10-10 12:59

Sample ID 240603-l3bvcsca76
Target RealtekHDAudioUniversalService_NeikiAnalytics
SHA256 7e4efd43ace17028eacb97352fe2ea46d44b96aca3068130b0cdec4dbba081b1
Tags
dcrat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e4efd43ace17028eacb97352fe2ea46d44b96aca3068130b0cdec4dbba081b1

Threat Level: Known bad

The file RealtekHDAudioUniversalService_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer persistence rat

DCRat payload

Process spawned unexpected child process

DcRat

Modifies WinLogon for persistence

Dcrat family

DCRat payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:03

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:03

Reported

2024-06-03 10:05

Platform

win7-20231129-en

Max time kernel

123s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\27d1bcfc3c54e0 C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\", \"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\", \"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\", \"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\Admin\\Templates\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dllhost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\", \"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\", \"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\", \"C:\\bridgeHyperCrt\\sppsvc.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Windows\\CSC\\lsm.exe\", \"C:\\bridgeHyperCrt\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\", \"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Users\\Admin\\Templates\\winlogon.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\bridgeHyperCrt\\sppsvc.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\lsm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dllhost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Portable Devices\\cmd.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\lsm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\CSC\\lsm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\Templates\\winlogon.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dllhost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\System.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\CSC\\lsm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\bridgeHyperCrt\\lsm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\csrss.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\bridgeHyperCrt\\sppsvc.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\bridgeHyperCrt\\lsm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\lsm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\taskhost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\explorer.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Package Cache\\sppsvc.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\Templates\\winlogon.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\ebf1f9fa8afd6d C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\27d1bcfc3c54e0 C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\7a0fd90576e088 C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\cmd.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CSC\lsm.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Windows\CSC\101b941d020240 C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Portable Devices\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe C:\Windows\SysWOW64\WScript.exe
PID 836 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe C:\Windows\SysWOW64\WScript.exe
PID 836 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe C:\Windows\SysWOW64\WScript.exe
PID 836 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe C:\Windows\SysWOW64\WScript.exe
PID 2808 wrote to memory of 2964 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2964 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2964 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2964 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe
PID 2964 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe
PID 2964 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe
PID 2964 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe
PID 2552 wrote to memory of 2400 N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe C:\Windows\System32\cmd.exe
PID 2552 wrote to memory of 2400 N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe C:\Windows\System32\cmd.exe
PID 2552 wrote to memory of 2400 N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe C:\Windows\System32\cmd.exe
PID 2400 wrote to memory of 2808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2400 wrote to memory of 2808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2400 wrote to memory of 2808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2400 wrote to memory of 2600 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\cmd.exe
PID 2400 wrote to memory of 2600 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\cmd.exe
PID 2400 wrote to memory of 2600 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgeHyperCrt\FOAEdrh1BxsF.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\bridgeHyperCrt\OI0pwrYEs8WKMbQhaocS5DTAkNJim.bat" "

C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe

"C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\bridgeHyperCrt\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\bridgeHyperCrt\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\bridgeHyperCrt\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\CSC\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\CSC\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\CSC\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\bridgeHyperCrt\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\bridgeHyperCrt\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\bridgeHyperCrt\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Acrobat\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Acrobat\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Templates\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xC7r6FxMav.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Portable Devices\cmd.exe

"C:\Program Files (x86)\Windows Portable Devices\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0984531.xsph.ru udp
RU 141.8.192.163:80 a0984531.xsph.ru tcp
RU 141.8.192.163:80 a0984531.xsph.ru tcp
RU 141.8.192.163:80 a0984531.xsph.ru tcp

Files

C:\bridgeHyperCrt\FOAEdrh1BxsF.vbe

MD5 91dfc7252bcd06d82af9f64190b08c7e
SHA1 4eea175d57c3631c0dab65cff1c325d59b5d34a8
SHA256 fdee20a4260f6ba25d38608473eb51910fd1780e104edc51b7feea672f23858b
SHA512 b56eea94d6f4660f1022464c82d0595c8ddf18fdd5977c6bc9dd7baae2c8090d188b418c1b6d2556e3b630823d526b27640d06fe8a5f6fffc776caa4907b2d30

C:\bridgeHyperCrt\OI0pwrYEs8WKMbQhaocS5DTAkNJim.bat

MD5 ae3ca8c85d0b24e4a5d8665f7cb83466
SHA1 cea7807241d92dca00ed5d9283e21142ffbbb14c
SHA256 afddd637f38e2c904b3c6c717d6277fe9f9566e29f2940e371289ab259f4e869
SHA512 e3379655f409bd348fbcf61be7cba93627b0a3fb30cadc47f036e3fe03a69d2e9631d7339984ae426cbd5145db1c22a9aec5c98f5806ef0caf1bf69a412c1c99

\bridgeHyperCrt\Realtek HD Audio Universal Service.exe

MD5 8b8ad5d190af5992165ab74f2c4d2539
SHA1 4c7dcd839b39b6da31c575e6c0078b948c486ca0
SHA256 fa7c73b719b35f3ed6e23c1c1f216f9c344a3a95a46d9779ddb90cacbde81624
SHA512 eb957611286cc642dac606a2cd65ae49a67c15832f5383983dc65075d48ab7c4c74873a30cbf9ff024b29d0282b2e1e6e731365a78f23c912fbd5a799568aa0c

memory/2552-13-0x0000000000B10000-0x0000000000D54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xC7r6FxMav.bat

MD5 863ac2562decda84936abc14395bc993
SHA1 9d67c3a49ad74df5b7608d6be0d09c81cb9d8757
SHA256 49b7c7341e1617afc4c4e9dfe8c9626313abc1931a6de95018d7b572b4a8f76e
SHA512 b1c0b121467dc3f7cb4712d91030479190b1738380d24ddc9c5fbb291dce55ab8da52fcec98658f987d31d24631ae842294789724d1600d6e44172d129c491ee

memory/2600-57-0x0000000000E00000-0x0000000001044000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 10:03

Reported

2024-06-03 10:05

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\", \"C:\\bridgeHyperCrt\\Idle.exe\", \"C:\\Windows\\Speech\\Engines\\Lexicon\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\smss.exe\", \"C:\\bridgeHyperCrt\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\", \"C:\\bridgeHyperCrt\\Idle.exe\", \"C:\\Windows\\Speech\\Engines\\Lexicon\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\smss.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\", \"C:\\bridgeHyperCrt\\Idle.exe\", \"C:\\Windows\\Speech\\Engines\\Lexicon\\StartMenuExperienceHost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\", \"C:\\bridgeHyperCrt\\Idle.exe\", \"C:\\Windows\\Speech\\Engines\\Lexicon\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\smss.exe\", \"C:\\bridgeHyperCrt\\unsecapp.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\", \"C:\\bridgeHyperCrt\\Idle.exe\", \"C:\\Windows\\Speech\\Engines\\Lexicon\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\smss.exe\", \"C:\\bridgeHyperCrt\\unsecapp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\LiveKernelReports\\wininit.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\", \"C:\\bridgeHyperCrt\\Idle.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\RuntimeBroker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\bridgeHyperCrt\\unsecapp.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Speech\\Engines\\Lexicon\\StartMenuExperienceHost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\bridgeHyperCrt\\dllhost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\bridgeHyperCrt\\dllhost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\RuntimeBroker.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\LiveKernelReports\\wininit.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Downloaded Program Files\\RuntimeBroker.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\smss.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\bridgeHyperCrt\\unsecapp.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\bridgeHyperCrt\\Idle.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\dotnet\\swidtag\\RuntimeBroker.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\bridgeHyperCrt\\Idle.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Speech\\Engines\\Lexicon\\StartMenuExperienceHost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\RuntimeBroker.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\LiveKernelReports\\wininit.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\smss.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\conhost.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\"" C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\swidtag\RuntimeBroker.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Program Files\dotnet\swidtag\9e8d7a4ca61bd9 C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Program Files\7-Zip\Lang\dwm.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Program Files\7-Zip\Lang\6cb0b6c459d5d3 C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9 C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Program Files (x86)\Windows Defender\de-DE\088424020bedd6 C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\servicing\SQM\sysmon.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Windows\LiveKernelReports\wininit.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Windows\LiveKernelReports\56085415360792 C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Windows\Downloaded Program Files\RuntimeBroker.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Windows\Downloaded Program Files\9e8d7a4ca61bd9 C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Windows\Speech\Engines\Lexicon\StartMenuExperienceHost.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
File created C:\Windows\Speech\Engines\Lexicon\55b276f4edf653 C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\RuntimeBroker.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\RuntimeBroker.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\RuntimeBroker.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\RuntimeBroker.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\RuntimeBroker.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\RuntimeBroker.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\RuntimeBroker.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\RuntimeBroker.exe N/A
N/A N/A C:\Windows\Downloaded Program Files\RuntimeBroker.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Downloaded Program Files\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Downloaded Program Files\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2708 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe C:\Windows\SysWOW64\WScript.exe
PID 2708 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe C:\Windows\SysWOW64\WScript.exe
PID 2708 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe C:\Windows\SysWOW64\WScript.exe
PID 4292 wrote to memory of 2844 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4292 wrote to memory of 2844 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4292 wrote to memory of 2844 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe
PID 2844 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe
PID 2556 wrote to memory of 1448 N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe C:\Windows\System32\cmd.exe
PID 2556 wrote to memory of 1448 N/A C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe C:\Windows\System32\cmd.exe
PID 1448 wrote to memory of 5044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1448 wrote to memory of 5044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1448 wrote to memory of 2260 N/A C:\Windows\System32\cmd.exe C:\Windows\Downloaded Program Files\RuntimeBroker.exe
PID 1448 wrote to memory of 2260 N/A C:\Windows\System32\cmd.exe C:\Windows\Downloaded Program Files\RuntimeBroker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioUniversalService_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgeHyperCrt\FOAEdrh1BxsF.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\bridgeHyperCrt\OI0pwrYEs8WKMbQhaocS5DTAkNJim.bat" "

C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe

"C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\bridgeHyperCrt\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\bridgeHyperCrt\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\bridgeHyperCrt\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\Engines\Lexicon\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\Lexicon\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\Engines\Lexicon\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\bridgeHyperCrt\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\bridgeHyperCrt\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\bridgeHyperCrt\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\bridgeHyperCrt\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\bridgeHyperCrt\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\bridgeHyperCrt\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iDTAhKxGqm.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Downloaded Program Files\RuntimeBroker.exe

"C:\Windows\Downloaded Program Files\RuntimeBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 a0984531.xsph.ru udp
RU 141.8.192.163:80 a0984531.xsph.ru tcp
RU 141.8.192.163:80 a0984531.xsph.ru tcp
US 8.8.8.8:53 163.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 141.8.192.163:80 a0984531.xsph.ru tcp
US 8.8.8.8:53 udp

Files

C:\bridgeHyperCrt\FOAEdrh1BxsF.vbe

MD5 91dfc7252bcd06d82af9f64190b08c7e
SHA1 4eea175d57c3631c0dab65cff1c325d59b5d34a8
SHA256 fdee20a4260f6ba25d38608473eb51910fd1780e104edc51b7feea672f23858b
SHA512 b56eea94d6f4660f1022464c82d0595c8ddf18fdd5977c6bc9dd7baae2c8090d188b418c1b6d2556e3b630823d526b27640d06fe8a5f6fffc776caa4907b2d30

C:\bridgeHyperCrt\OI0pwrYEs8WKMbQhaocS5DTAkNJim.bat

MD5 ae3ca8c85d0b24e4a5d8665f7cb83466
SHA1 cea7807241d92dca00ed5d9283e21142ffbbb14c
SHA256 afddd637f38e2c904b3c6c717d6277fe9f9566e29f2940e371289ab259f4e869
SHA512 e3379655f409bd348fbcf61be7cba93627b0a3fb30cadc47f036e3fe03a69d2e9631d7339984ae426cbd5145db1c22a9aec5c98f5806ef0caf1bf69a412c1c99

C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe

MD5 8b8ad5d190af5992165ab74f2c4d2539
SHA1 4c7dcd839b39b6da31c575e6c0078b948c486ca0
SHA256 fa7c73b719b35f3ed6e23c1c1f216f9c344a3a95a46d9779ddb90cacbde81624
SHA512 eb957611286cc642dac606a2cd65ae49a67c15832f5383983dc65075d48ab7c4c74873a30cbf9ff024b29d0282b2e1e6e731365a78f23c912fbd5a799568aa0c

memory/2556-12-0x00007FFA96453000-0x00007FFA96455000-memory.dmp

memory/2556-13-0x0000000000060000-0x00000000002A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iDTAhKxGqm.bat

MD5 253ba9d0dadc6cb11f3867524795fdc7
SHA1 b2522e63d2ccae0573115d9475c57e6ce6f3334d
SHA256 f4bfcd9aea0d0e9e6e6ec7e64f802523dea418c0ac29997ace10dbce30129b9b
SHA512 584cf363ddccc4c45df42cd34702bea4de06abe643a84fe51817c9cf7b66eb708fdeafd7226284692be0a8a5fad6fe0b1e341f7f1179f003863c8fdb7afd5c69