Malware Analysis Report

2024-10-10 12:49

Sample ID 240603-m3lv1add87
Target a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics
SHA256 13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc
Tags
dcrat evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13cc97185f7caa3a67fb2f2325ae2741db7f880eeab103799cd3a2747056ccbc

Threat Level: Known bad

The file a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat trojan

DcRat

UAC bypass

Process spawned unexpected child process

DCRat payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies registry class

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:59

Reported

2024-06-03 11:01

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\SIGNUP\csrss.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhost.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\088424020bedd6 C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File created C:\Program Files\Windows Sidebar\ja-JP\ebf1f9fa8afd6d C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File created C:\Program Files (x86)\Google\Temp\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File created C:\Program Files\MSBuild\Microsoft\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File created C:\Program Files\Windows Sidebar\ja-JP\cmd.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File created C:\Program Files (x86)\Google\Temp\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ShellNew\dwm.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File created C:\Windows\ShellNew\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
N/A N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
N/A N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
N/A N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
N/A N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
N/A N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
N/A N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
N/A N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
N/A N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
N/A N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
N/A N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 3028 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 3028 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 3028 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2028 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2624 wrote to memory of 2528 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2528 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2528 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2528 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe
PID 2528 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe
PID 2528 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe
PID 2528 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe
PID 2600 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe C:\Windows\System32\cmd.exe
PID 2600 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe C:\Windows\System32\cmd.exe
PID 2600 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe C:\Windows\System32\cmd.exe
PID 2808 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2808 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2808 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2808 wrote to memory of 2480 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\Microsoft\Idle.exe
PID 2808 wrote to memory of 2480 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\Microsoft\Idle.exe
PID 2808 wrote to memory of 2480 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\Microsoft\Idle.exe
PID 2480 wrote to memory of 1464 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 2480 wrote to memory of 1464 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 2480 wrote to memory of 1464 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 2480 wrote to memory of 1488 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 2480 wrote to memory of 1488 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 2480 wrote to memory of 1488 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 1464 wrote to memory of 1604 N/A C:\Windows\System32\WScript.exe C:\Program Files\MSBuild\Microsoft\Idle.exe
PID 1464 wrote to memory of 1604 N/A C:\Windows\System32\WScript.exe C:\Program Files\MSBuild\Microsoft\Idle.exe
PID 1464 wrote to memory of 1604 N/A C:\Windows\System32\WScript.exe C:\Program Files\MSBuild\Microsoft\Idle.exe
PID 1604 wrote to memory of 1932 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 1604 wrote to memory of 1932 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 1604 wrote to memory of 1932 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 1604 wrote to memory of 1280 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 1604 wrote to memory of 1280 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 1604 wrote to memory of 1280 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 1932 wrote to memory of 892 N/A C:\Windows\System32\WScript.exe C:\Program Files\MSBuild\Microsoft\Idle.exe
PID 1932 wrote to memory of 892 N/A C:\Windows\System32\WScript.exe C:\Program Files\MSBuild\Microsoft\Idle.exe
PID 1932 wrote to memory of 892 N/A C:\Windows\System32\WScript.exe C:\Program Files\MSBuild\Microsoft\Idle.exe
PID 892 wrote to memory of 724 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 892 wrote to memory of 724 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 892 wrote to memory of 724 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 892 wrote to memory of 2596 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 892 wrote to memory of 2596 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 892 wrote to memory of 2596 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 724 wrote to memory of 2488 N/A C:\Windows\System32\WScript.exe C:\Program Files\MSBuild\Microsoft\Idle.exe
PID 724 wrote to memory of 2488 N/A C:\Windows\System32\WScript.exe C:\Program Files\MSBuild\Microsoft\Idle.exe
PID 724 wrote to memory of 2488 N/A C:\Windows\System32\WScript.exe C:\Program Files\MSBuild\Microsoft\Idle.exe
PID 2488 wrote to memory of 2388 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2388 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2388 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2692 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2692 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2692 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 2388 wrote to memory of 2644 N/A C:\Windows\System32\WScript.exe C:\Program Files\MSBuild\Microsoft\Idle.exe
PID 2388 wrote to memory of 2644 N/A C:\Windows\System32\WScript.exe C:\Program Files\MSBuild\Microsoft\Idle.exe
PID 2388 wrote to memory of 2644 N/A C:\Windows\System32\WScript.exe C:\Program Files\MSBuild\Microsoft\Idle.exe
PID 2644 wrote to memory of 1592 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 2644 wrote to memory of 1592 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe
PID 2644 wrote to memory of 1592 N/A C:\Program Files\MSBuild\Microsoft\Idle.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MSBuild\Microsoft\Idle.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\JFcWz5uGBCcQNylIeBn.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\FCDPQha3l1059hFdl7xiPA.bat" "

C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe

"C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\ja-JP\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\ja-JP\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Start Menu\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ShellNew\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellNew\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ComContainerC" /sc MINUTE /mo 8 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\ComContainer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ComContainer" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\ComContainer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ComContainerC" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\ComContainer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\NetHood\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Default\NetHood\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\SIGNUP\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\SIGNUP\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B27xTnLrqw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\Microsoft\Idle.exe

"C:\Program Files\MSBuild\Microsoft\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95bb6168-8951-4aff-bc3a-defc0663d248.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68ee3aeb-d77a-4ef9-8dd2-4c8dade8df01.vbs"

C:\Program Files\MSBuild\Microsoft\Idle.exe

"C:\Program Files\MSBuild\Microsoft\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c753f4d-cebd-47e5-a893-703030071c46.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a325eb1-b5c5-46fb-8eea-68f6270a1edd.vbs"

C:\Program Files\MSBuild\Microsoft\Idle.exe

"C:\Program Files\MSBuild\Microsoft\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2688d0fe-9730-4fb5-b4cb-bf9079158536.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a5d4568-5fae-4810-91fd-e0386e3fc9d0.vbs"

C:\Program Files\MSBuild\Microsoft\Idle.exe

"C:\Program Files\MSBuild\Microsoft\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe0be2e5-77a7-4fdf-87a0-7fa55230fcbb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c701b0b-61c4-4878-9ef6-1ceab160dce2.vbs"

C:\Program Files\MSBuild\Microsoft\Idle.exe

"C:\Program Files\MSBuild\Microsoft\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84137abf-cdfd-4f2b-b86e-9c349d215405.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e8a4a68-753d-4402-830b-5d56ce94a991.vbs"

C:\Program Files\MSBuild\Microsoft\Idle.exe

"C:\Program Files\MSBuild\Microsoft\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d95945ca-56af-4fdf-a58d-c30dd5e6e1a4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9228600-8f80-4090-8a82-3e1fdbc35b40.vbs"

C:\Program Files\MSBuild\Microsoft\Idle.exe

"C:\Program Files\MSBuild\Microsoft\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e26a367-ed4a-4ad5-85b9-85ad210afb2a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cde3a11c-275c-4ba7-95b2-3a222a1b1df2.vbs"

C:\Program Files\MSBuild\Microsoft\Idle.exe

"C:\Program Files\MSBuild\Microsoft\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\182019a0-8693-46f4-ab95-fb7f5739d828.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d08aadba-c004-47e4-9385-00a893ca34d9.vbs"

C:\Program Files\MSBuild\Microsoft\Idle.exe

"C:\Program Files\MSBuild\Microsoft\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2f49e9d-8aaf-4c46-a745-91c615a760ac.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23ac6e26-8120-41ff-b05a-a37dc4caa621.vbs"

C:\Program Files\MSBuild\Microsoft\Idle.exe

"C:\Program Files\MSBuild\Microsoft\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10201be9-9fdf-4d0a-bd31-62c0e85361e4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2df1768a-bdf2-4c20-a185-90b888e7ceb8.vbs"

C:\Program Files\MSBuild\Microsoft\Idle.exe

"C:\Program Files\MSBuild\Microsoft\Idle.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0982456.xsph.ru udp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
RU 141.8.192.103:80 a0982456.xsph.ru tcp

Files

memory/3028-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

memory/3028-1-0x0000000000A30000-0x0000000000BC6000-memory.dmp

memory/3028-5-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 84c02f6e1108d21bc6d871d4f0e67dd1
SHA1 fc46781b941cb8b9493d1f89a835e60eebad1fe1
SHA256 0b3af1714c58b112a179b1efe5d9b381cba0c06450860ae8134b386fe2fe5e8f
SHA512 c4ca21b5b571eaaa58f63134337b2d01f9aba2dd1684a5ca2e57c8df34cf266b846fddc21f2b567cec3c714d08d47103059cb848a1a5e9efcaf6b3efde069510

memory/3028-9-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\JFcWz5uGBCcQNylIeBn.vbe

MD5 8f6a53617f67becfab8753b32ce07e70
SHA1 111bfba12a529a29baf5c80300dd5f4432be5c20
SHA256 146e2cc8c7a342377dde4a2d323fba53afa9833e66539de23d120f414c4ffd4e
SHA512 e40ee02738f686db97275ab9c87c2b96081d7395c3fe6365ee19c3348dd3f09ee3d423ad686af4e2f9214a0e1e3078bd4e7e4c2030ea87545b2b57cc60f531dc

C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\FCDPQha3l1059hFdl7xiPA.bat

MD5 b56593dfa47cd5d585cf8f8d88c11b05
SHA1 c70b8eec01fe9102c2e7cd3605dab47756f9643e
SHA256 bae7494aa08a5d634830c205febb819b546b1633d2d2c74be6b78eee19c5514c
SHA512 402da79f69e08391217210a273eb735036760ebfd5115537c8965128e11640071ba76438d7d236b6c93db697e90f9a994a2fcc29fed02edcb7ef6195a703c7b4

\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe

MD5 d4d11ed815db57efe9580e29900df34e
SHA1 14b275d8df38bad245b92c1980a1e0eb6491dbce
SHA256 fb41a0fd339ab301f2f33eb97a562af1876e394493fe9f114fa6ff5f9f7d82b8
SHA512 375d489af26b7c48e8d73f31e2105bab5f84e80e7f8c32813a6ca574583c3ace0dfc23720964fc10000b3eeda70ab34ca692b22c9c696fc046c6509f38f8263b

memory/2600-23-0x00000000008D0000-0x0000000000A9E000-memory.dmp

memory/2600-24-0x00000000002B0000-0x00000000002BE000-memory.dmp

memory/2600-25-0x0000000000350000-0x000000000036C000-memory.dmp

memory/2600-26-0x0000000000890000-0x00000000008A6000-memory.dmp

memory/2600-27-0x0000000000650000-0x0000000000660000-memory.dmp

memory/2600-28-0x0000000000670000-0x000000000067A000-memory.dmp

memory/2600-29-0x00000000008B0000-0x00000000008BC000-memory.dmp

memory/2600-30-0x00000000008C0000-0x00000000008C8000-memory.dmp

memory/2600-31-0x0000000002130000-0x000000000213C000-memory.dmp

memory/2600-32-0x0000000002140000-0x0000000002152000-memory.dmp

memory/2600-33-0x0000000002170000-0x000000000217C000-memory.dmp

memory/2600-34-0x0000000002180000-0x0000000002188000-memory.dmp

memory/2600-35-0x0000000002190000-0x000000000219C000-memory.dmp

memory/2600-36-0x00000000021A0000-0x00000000021AA000-memory.dmp

memory/2600-37-0x00000000021B0000-0x00000000021BE000-memory.dmp

memory/2600-38-0x00000000021C0000-0x00000000021C8000-memory.dmp

memory/2600-39-0x00000000021D0000-0x00000000021DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B27xTnLrqw.bat

MD5 2736362870b6ace7d721062dff353f5c
SHA1 53cbb9cb283e49270c31fcfb154ea81f1ec26f32
SHA256 69aff56411ac457b75e2563a0ccbe23a697bd173b4388aa75f7eb3e21f336406
SHA512 1733f2a197f3462956766937569ed81b620fbc5fcffad04f172ed9988ee82f5206c10d6f1dee1f91d17a43bca2084bea49f6cad731e5f85976c93f3052c36273

memory/2480-86-0x0000000000040000-0x000000000020E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\68ee3aeb-d77a-4ef9-8dd2-4c8dade8df01.vbs

MD5 c0f9d09b51a66a1e8b6ad38c4431961c
SHA1 960044e5076bb13682c489ca69ad84dea511d7c5
SHA256 485d9b7d5fd4b7ded03dbf2a17d6a764f3021dc8c04a206d049763ad5abdeaf2
SHA512 d8c67ea5384585883afe965f14ad05b4558639492149967632ff7de79afdbc0b83caab9a1091ed271608055ce9bcb3bd2f731ea5877952b1d9ab24a1d1cd5f39

C:\Users\Admin\AppData\Local\Temp\95bb6168-8951-4aff-bc3a-defc0663d248.vbs

MD5 4b467e5a9e4cc4f98296f3b6b884b024
SHA1 ab59ce752d7abb942ef8259a09e325b32815d330
SHA256 f984a056487ce939abc743743f015eb6f488ee5fbd29cacc6215392549454813
SHA512 60e0fbb9747df356790c954dc18e22e6d6fb12306479544e4830dba1843417ac2d5d75461a9a8f10451975ae4a4364c85b04da24800df0e8a89f68ccd5faf6c5

memory/1604-97-0x0000000000990000-0x0000000000B5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4c753f4d-cebd-47e5-a893-703030071c46.vbs

MD5 8e7cf773b7ef3be74a5734cc36452cff
SHA1 bc4aae9e8254bbd910fb1a46990b7cc002dc0d87
SHA256 9ca4448f1848e3660f6b2579b4e927e0c196b2c5a2de8e6919713751a63e39f6
SHA512 fbb1a2b298d25dae7aec321bb926d8e247c584f48647d21bfba238e894d48730c1ff9f08954aef76115fdf4c61e00de83fd92abb0d30a36d9d6a3e0824d94ef6

memory/892-109-0x0000000000390000-0x000000000055E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2688d0fe-9730-4fb5-b4cb-bf9079158536.vbs

MD5 ca2915cd41326657c802f78fc445ac2e
SHA1 8da156abb62a72a6553fd88fd306c3162ad8e00e
SHA256 d4e165c2ea73b27635b6b000c5eb8e3cd23d40e4ba505b6f404633d5d4052a95
SHA512 a4aa5ff11f7fe92fe29da5ee692cf5595036effc3f7f04644d3eee951503040949e909829f0cd7793b581b418dba23ac578d25f8e4b22ed1a9fbcc8af6c0b9dd

memory/2488-121-0x0000000001300000-0x00000000014CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fe0be2e5-77a7-4fdf-87a0-7fa55230fcbb.vbs

MD5 22af74d959e320912f0eca479b712b8a
SHA1 6235dc209c220c6aa0ce2db50ef988a16f73aee9
SHA256 966bbcace03ce0e844fdca8831f4042a895c1b7dcd6b9e75c27b45b3a49cd6a5
SHA512 a08442c6d0eb5c790f35896477931dcd199c417f386e5d8e8b6cb989d5550ea8cff33c4500938b28dff8f25c96d035a0a57f30f6cd5ff4b47f6318bb99895a73

memory/2644-133-0x0000000000330000-0x00000000004FE000-memory.dmp

memory/2644-134-0x0000000000590000-0x00000000005A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84137abf-cdfd-4f2b-b86e-9c349d215405.vbs

MD5 ad4c2b25931211b5072d5452a71228a7
SHA1 568952954cc3b2fb7e8d0d3eed8fa45005e9ceb3
SHA256 e917eac0c91c77b83c888e0ebf3903246a79f92ac85311a3c15713871425a07f
SHA512 f7c1325f2b3e195f08a340234877e026ca3047a831206d8f3633d82015e56ca2aa55cd1d0455169f67a8b58be7608b176c283cf0dbdb0d7fe59807565278128c

memory/2132-146-0x0000000000290000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d95945ca-56af-4fdf-a58d-c30dd5e6e1a4.vbs

MD5 d323acb4fc72e74d2c49772011880d41
SHA1 6502749961ddb983fcc42e25a096ae3c20d0133e
SHA256 ac7ea9130b03e9121dce3e249b1c4e3e3b36dd22d4bfc62eec12cc99a86176fd
SHA512 a6a097f0f20f2eaeeb7dc506553673c8b0f55895317f9f1a30f70c51b4f1951840db4d638677921ff1e2e24519c115c1d0eec27ffd0bd75b277ebeb5bda8ba10

memory/1700-158-0x0000000000AC0000-0x0000000000C8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e26a367-ed4a-4ad5-85b9-85ad210afb2a.vbs

MD5 c55fda3f3331418d77eea1a74c2b00d7
SHA1 5f4c895934d46f55117b0e17609ffb1520c0d3ab
SHA256 6e0eebb47ae99b3e982847e8cf6ded5d3fbc9fa2843f766a89334a53c0783565
SHA512 9211f2b0138fc5e795887c23d1d8e6b7853707d6db44e05ef28c4432bbf3670c471498cf26293475fd1a658906fe7219035cf297067daf88bbf26fbf883ca1d7

memory/1732-170-0x0000000000DA0000-0x0000000000F6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\182019a0-8693-46f4-ab95-fb7f5739d828.vbs

MD5 80a851a2a43d007ed81edee4beeff323
SHA1 41919655e7b2c6b5e3716a9d8aad19f1da55565c
SHA256 01a53f94388454245f331f9700ca663499ba0cb1435ea172baab29c16031e60f
SHA512 f59e8e044b68c6f16a3510371a73b80c6296316e8b0cc6757932ba85a3c310bf1247d2474750af04b6c554c8375e585dd0d62e20669fe8519049778b052b412c

memory/1712-182-0x00000000000D0000-0x000000000029E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a2f49e9d-8aaf-4c46-a745-91c615a760ac.vbs

MD5 2d20435498127aef770c0f62346594a3
SHA1 ee83f37c6eef19628f2c50dc1bd05e9aa9e991a1
SHA256 c7fc68e3ec61251d942b437a73adb8de43d4be71cdc498af5213c2235b447bf0
SHA512 dff54ddb892502e9c17865e638983e25a37a0f8ca6ccdb750e3543e73785dad9a6ed25e3ff5f165816a3e87fac9b95a9f6da846e06ba6ad60f3e38a26f6adfc3

C:\Users\Admin\AppData\Local\Temp\10201be9-9fdf-4d0a-bd31-62c0e85361e4.vbs

MD5 d3d61641b9cdd48f33fa2ab9b99da978
SHA1 df8dbfc789dce7dd8104257ccaa41f270258346b
SHA256 9246f189184c7d64c57f55ffbcbd813fec9a10f7a287776f0964835d3f27a6a5
SHA512 720af61d0589f402f1db424cbd2e0723ceb5150d61e6e61bfce4371c34b75bcea6f3d30914b0cd8828ac57cc9f84689a13547b5d286ba6526b4f5f448afbea7e

memory/2580-205-0x0000000000850000-0x0000000000A1E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 10:59

Reported

2024-06-03 11:02

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\All Users\msedge.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\fr-FR\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WaaSMedicAgent.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\c82b8037eab33d C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\All Users\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\All Users\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\All Users\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\All Users\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\All Users\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\All Users\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\All Users\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\All Users\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\All Users\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A
N/A N/A C:\Users\All Users\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4752 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 4752 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 4752 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2604 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2604 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2604 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 1596 wrote to memory of 1352 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 1352 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 1352 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe
PID 1352 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe
PID 2044 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe C:\Users\All Users\msedge.exe
PID 2044 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe C:\Users\All Users\msedge.exe
PID 2288 wrote to memory of 4516 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 2288 wrote to memory of 4516 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 2288 wrote to memory of 1416 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 2288 wrote to memory of 1416 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 4516 wrote to memory of 4508 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 4516 wrote to memory of 4508 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 4508 wrote to memory of 1996 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 4508 wrote to memory of 1996 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 4508 wrote to memory of 2860 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 4508 wrote to memory of 2860 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 1996 wrote to memory of 696 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 1996 wrote to memory of 696 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 696 wrote to memory of 2136 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 696 wrote to memory of 2136 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 696 wrote to memory of 1184 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 696 wrote to memory of 1184 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 2136 wrote to memory of 2012 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 2136 wrote to memory of 2012 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 2012 wrote to memory of 4996 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 2012 wrote to memory of 4996 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 2012 wrote to memory of 2548 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 2012 wrote to memory of 2548 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 4996 wrote to memory of 2876 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 4996 wrote to memory of 2876 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 2876 wrote to memory of 4328 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 2876 wrote to memory of 4328 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 2876 wrote to memory of 4264 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 2876 wrote to memory of 4264 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 4328 wrote to memory of 220 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 4328 wrote to memory of 220 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 220 wrote to memory of 4232 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 220 wrote to memory of 4232 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 220 wrote to memory of 2184 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 220 wrote to memory of 2184 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 4232 wrote to memory of 228 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 4232 wrote to memory of 228 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 228 wrote to memory of 3544 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 228 wrote to memory of 3544 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 228 wrote to memory of 3156 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 228 wrote to memory of 3156 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 3544 wrote to memory of 2164 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 3544 wrote to memory of 2164 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 2164 wrote to memory of 1004 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 2164 wrote to memory of 1004 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 2164 wrote to memory of 3364 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 2164 wrote to memory of 3364 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 1004 wrote to memory of 5024 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 1004 wrote to memory of 5024 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\msedge.exe
PID 5024 wrote to memory of 3980 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 5024 wrote to memory of 3980 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe
PID 5024 wrote to memory of 4276 N/A C:\Users\All Users\msedge.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\msedge.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a0fc62e3b7ee3716781698677ef0a315_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\JFcWz5uGBCcQNylIeBn.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\FCDPQha3l1059hFdl7xiPA.bat" "

C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe

"C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\fr-FR\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\fr-FR\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\odt\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\odt\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\All Users\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Registry.exe'" /rl HIGHEST /f

C:\Users\All Users\msedge.exe

"C:\Users\All Users\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70e78375-b5d5-42c7-9b91-09324094609f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25b88e27-7b23-4420-8511-9b5c6ae4f352.vbs"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Users\All Users\msedge.exe

"C:\Users\All Users\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa425a41-35ba-4510-9e0c-0ce44df216e9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63d2e392-f1a6-4457-abbf-d019ce5e7204.vbs"

C:\Users\All Users\msedge.exe

"C:\Users\All Users\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6e72fc6-c595-4ddb-968c-ca074d337448.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd257199-6106-4e5b-a0aa-cb3f48f8351e.vbs"

C:\Users\All Users\msedge.exe

"C:\Users\All Users\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33af6be1-2334-4bf4-aee5-ae85ffbfa478.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\630ca480-88f1-4550-95fa-c77f0dbf4d5c.vbs"

C:\Users\All Users\msedge.exe

"C:\Users\All Users\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c9e23b5-3287-435c-b6b8-c67ad50d2180.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df05f5a2-40ed-49bc-90ca-5f73fe523860.vbs"

C:\Users\All Users\msedge.exe

"C:\Users\All Users\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87a28b94-122a-4d7f-91fe-eb1ac774fb62.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f9304aa-3f09-4187-be37-d652fad03a40.vbs"

C:\Users\All Users\msedge.exe

"C:\Users\All Users\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\576b8332-1280-4030-9a97-8f5ae7fa050c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5179f05-9386-4b1a-8076-a30b3516765d.vbs"

C:\Users\All Users\msedge.exe

"C:\Users\All Users\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6337a296-66e4-4d44-a8c4-bc5585ce0b59.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\873e1559-703d-42f5-aad2-e76256f3a0d1.vbs"

C:\Users\All Users\msedge.exe

"C:\Users\All Users\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1908b378-828e-4f7c-887b-047a05fc13c9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6290a378-f70b-4305-9f9a-d1858be57d75.vbs"

C:\Users\All Users\msedge.exe

"C:\Users\All Users\msedge.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 a0982456.xsph.ru udp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
RU 141.8.192.103:80 a0982456.xsph.ru tcp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
RU 141.8.192.103:80 a0982456.xsph.ru tcp

Files

memory/4752-0-0x00007FFD774B3000-0x00007FFD774B5000-memory.dmp

memory/4752-1-0x0000000000A60000-0x0000000000BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 84c02f6e1108d21bc6d871d4f0e67dd1
SHA1 fc46781b941cb8b9493d1f89a835e60eebad1fe1
SHA256 0b3af1714c58b112a179b1efe5d9b381cba0c06450860ae8134b386fe2fe5e8f
SHA512 c4ca21b5b571eaaa58f63134337b2d01f9aba2dd1684a5ca2e57c8df34cf266b846fddc21f2b567cec3c714d08d47103059cb848a1a5e9efcaf6b3efde069510

memory/4752-7-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

memory/4752-11-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\JFcWz5uGBCcQNylIeBn.vbe

MD5 8f6a53617f67becfab8753b32ce07e70
SHA1 111bfba12a529a29baf5c80300dd5f4432be5c20
SHA256 146e2cc8c7a342377dde4a2d323fba53afa9833e66539de23d120f414c4ffd4e
SHA512 e40ee02738f686db97275ab9c87c2b96081d7395c3fe6365ee19c3348dd3f09ee3d423ad686af4e2f9214a0e1e3078bd4e7e4c2030ea87545b2b57cc60f531dc

C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\FCDPQha3l1059hFdl7xiPA.bat

MD5 b56593dfa47cd5d585cf8f8d88c11b05
SHA1 c70b8eec01fe9102c2e7cd3605dab47756f9643e
SHA256 bae7494aa08a5d634830c205febb819b546b1633d2d2c74be6b78eee19c5514c
SHA512 402da79f69e08391217210a273eb735036760ebfd5115537c8965128e11640071ba76438d7d236b6c93db697e90f9a994a2fcc29fed02edcb7ef6195a703c7b4

C:\Users\Admin\AppData\Local\Temp\bridgehyperblockreviewdhcp\ComContainer.exe

MD5 d4d11ed815db57efe9580e29900df34e
SHA1 14b275d8df38bad245b92c1980a1e0eb6491dbce
SHA256 fb41a0fd339ab301f2f33eb97a562af1876e394493fe9f114fa6ff5f9f7d82b8
SHA512 375d489af26b7c48e8d73f31e2105bab5f84e80e7f8c32813a6ca574583c3ace0dfc23720964fc10000b3eeda70ab34ca692b22c9c696fc046c6509f38f8263b

memory/2044-25-0x00000000000F0000-0x00000000002BE000-memory.dmp

memory/2044-26-0x0000000002480000-0x000000000248E000-memory.dmp

memory/2044-27-0x0000000002490000-0x00000000024AC000-memory.dmp

memory/2044-28-0x000000001B560000-0x000000001B5B0000-memory.dmp

memory/2044-29-0x0000000002620000-0x0000000002636000-memory.dmp

memory/2044-30-0x0000000002640000-0x0000000002650000-memory.dmp

memory/2044-31-0x0000000002650000-0x000000000265A000-memory.dmp

memory/2044-32-0x0000000002660000-0x000000000266C000-memory.dmp

memory/2044-33-0x000000001AF40000-0x000000001AF48000-memory.dmp

memory/2044-35-0x000000001B770000-0x000000001B782000-memory.dmp

memory/2044-34-0x000000001B760000-0x000000001B76C000-memory.dmp

memory/2044-36-0x000000001BCD0000-0x000000001C1F8000-memory.dmp

memory/2044-37-0x0000000002420000-0x000000000242C000-memory.dmp

memory/2044-39-0x0000000002440000-0x000000000244C000-memory.dmp

memory/2044-38-0x0000000002430000-0x0000000002438000-memory.dmp

memory/2044-41-0x000000001B7A0000-0x000000001B7AE000-memory.dmp

memory/2044-42-0x000000001B7B0000-0x000000001B7B8000-memory.dmp

memory/2044-43-0x000000001B7C0000-0x000000001B7CE000-memory.dmp

memory/2044-40-0x0000000002450000-0x000000000245A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70e78375-b5d5-42c7-9b91-09324094609f.vbs

MD5 7e7b43b64d1c41feb226a0201b3aeb4e
SHA1 7d2522a3d691aba9bb41e878b7de535b71fac99f
SHA256 67df457cd35d15d8b42f70cd54c82421ff51a6abd754526001d0711e1fc3ea40
SHA512 9a9b0f58d44352dc5aa58e6793da188be65ac0019ae162a40fd64232632727812ece5872ea85e1e7e8ec4bf54da564fa108a93a3d4ec906b27537cda8a9edb06

C:\Users\Admin\AppData\Local\Temp\25b88e27-7b23-4420-8511-9b5c6ae4f352.vbs

MD5 4b04d69bfd06cc27439ab11c5a1aadce
SHA1 89e5f09e5d0f19d5ee3673ddd2d19a91dafc8072
SHA256 b1eb8366a97042cb4c71549b132d6e6065a5bb8e0d12cad50eb2d77175404dfb
SHA512 92e796d2dd831db2e29a2582b4213fbf7f3fb1e39be6ed239984b94e9abbf2e5aeb55f6255b3976e459ab1230523bcd05050b47adb8539c0d0519f51cae1534e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\fa425a41-35ba-4510-9e0c-0ce44df216e9.vbs

MD5 986f130ac08ead930256a70a15d45659
SHA1 13f043acad3d884282bf503cb6e5f183ac8380e8
SHA256 397b39437b04d95667742c88e9e61e5112f8875eb3c76bef2189c2a16c81f964
SHA512 d610ef756a8d6a59d468d55d45adf0ea020e295783b3788437d16256d135070d5a89c29e5622dd6fccaa8ca4aaca9058270bb28d81e129ab9a24163c84c77e9e

C:\Users\Admin\AppData\Local\Temp\d6e72fc6-c595-4ddb-968c-ca074d337448.vbs

MD5 a31237189229a3adad8cf39342d221d9
SHA1 579350d36bafa22555636d14f6accb31270a934e
SHA256 0174a12fbc3700638cc5066fc6bf1df7542ec5a5c32b74652ccfe1a9d24b0186
SHA512 f0f4a9e14a801d7a71a9024de8e306043ecc0dea1eb10a76537162bb353ecb465920b22696e97adccb45c1cbad1a9645dbaf9b33c5a251191c9d7ad8c51c25e1

C:\Users\Admin\AppData\Local\Temp\33af6be1-2334-4bf4-aee5-ae85ffbfa478.vbs

MD5 2001a8a84e28ecdad421a47f0902ec20
SHA1 9de143456c5afbc02b0dab27cb2613ceeadf6a4e
SHA256 38e28e8751537c426321e412221ef9f7f8c0f1f5b6c120f69f87d85964bba3f0
SHA512 27962d11fe8f65f2106b1c34d01963527d4431fd3be0dda1c0ccce4e5db908eb5255f998d4f057756d25fdc5523296f334d666333dc0a434d55090871054f888

C:\Users\Admin\AppData\Local\Temp\8c9e23b5-3287-435c-b6b8-c67ad50d2180.vbs

MD5 0b3937f4638719a9e02f24917b3c885b
SHA1 8b3429db283de2a032029c7907abfe6e57582d57
SHA256 e9eb39c4f99a3308d5387d2db166dbce9309b218bd5c66d916495ff6dee336b1
SHA512 a0a3b3ffc6a0a7d121abc4904249f1983082ef15e28bbba5b6221cbb6f509d03fff446614618abd7e75c2dee410dfa09f1bb4cf8219e33dddf47abbaf7514a12

memory/220-134-0x000000001BFA0000-0x000000001BFB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\87a28b94-122a-4d7f-91fe-eb1ac774fb62.vbs

MD5 90690891188dfc021655d0a910743345
SHA1 b5965f326dfba3cb2add7044c8b2495fabddde0c
SHA256 ff6d799181e39704a37dcded412d2f43b70bf9a3f1554617e9a78b0e4d8f3eed
SHA512 8e294b284fad55587920d19acfce98d9ae5ee4f71cb5814303418060eee94bd64fc69274acb7a3f0992720fe2a6ba331a026e0c479f558648c7bbff3a199632f

C:\Users\Admin\AppData\Local\Temp\576b8332-1280-4030-9a97-8f5ae7fa050c.vbs

MD5 e169be6573359c5dfb796814537f9fc5
SHA1 40fd021993b7166eefd2ef135cb03d32d274835b
SHA256 2eace776836d03fefb5bd5666eb839f5cdcf40c74629a141401079b9238030e7
SHA512 38e9df146c8a17d6f85ccc49c0a290a7373cc7321ece741301490b2353d5c26ed07fb566ab5b0a95449cdabbb1713c81a2054958c00ff514a2f961ebb9693bab

memory/2164-157-0x0000000002A40000-0x0000000002A52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6337a296-66e4-4d44-a8c4-bc5585ce0b59.vbs

MD5 1a7338f70ab8802e716297b317d8947c
SHA1 e4fa32b28bcbc86fcca12707feb501a9590c1a52
SHA256 103f78d3f1f8ecb7691bc47ab171a242f6cd0d1dfe448eeee3bd6aa508c294cc
SHA512 ac006fd88c9d61c1ebaf6cfcfe26b1118c95a23ca977e9026f6093ff19a52f3921768f8fa13c9095dcfc0ffd0cc67950b7c04f213f1bb5cb0cecf88fd85d85c5

C:\Users\Admin\AppData\Local\Temp\1908b378-828e-4f7c-887b-047a05fc13c9.vbs

MD5 f3f36a4fb421301410c9f377cbbafbe9
SHA1 207ac09592cf38fb7ec55715ee823f2ff8ca8f4c
SHA256 fae905d4d5828f2694bd0df61925778ad9432b45f7933638b11f2a87c66a4064
SHA512 ccb235bac286699cbd11d659105d981cfb7d9192db4cf46199723dea1062b46c3e3bc1ef3e755bca6bb2fe438776b6fc3e3f7d851c337a9cb2aeacb8fb61756e