Malware Analysis Report

2025-01-03 09:29

Sample ID 240604-rw53hsad31
Target Client.exe
SHA256 e91028292e9f544999a641c8656895a4cfec809d5c9e28429e4233f5d5a894b7
Tags
bootkit execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e91028292e9f544999a641c8656895a4cfec809d5c9e28429e4233f5d5a894b7

Threat Level: Known bad

The file Client.exe was found to be: Known bad.

Malicious Activity Summary

bootkit execution persistence

Modifies WinLogon for persistence

Modifies AppInit DLL entries

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 14:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 14:33

Reported

2024-06-04 14:35

Platform

win10v2004-20240426-en

Max time kernel

108s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\xdwdFileZilla Upgrade.exe" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\pukexngq.dxx.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A

Modifies AppInit DLL entries

persistence

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\Music\\xdwdXAMPP.exe" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\pukexngq.dxx.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\xdwd.dll C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "159" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 400 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1640 wrote to memory of 5648 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1640 wrote to memory of 5648 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 4564 wrote to memory of 4640 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 4564 wrote to memory of 4640 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2992 wrote to memory of 4372 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2992 wrote to memory of 4372 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 5124 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 5124 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 5124 wrote to memory of 3540 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 5124 wrote to memory of 3540 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 5644 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 5644 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 5644 wrote to memory of 3708 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 5644 wrote to memory of 3708 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3792 wrote to memory of 4004 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3792 wrote to memory of 4004 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3016 wrote to memory of 1724 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3016 wrote to memory of 1724 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 5816 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 5816 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 5816 wrote to memory of 5040 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 5816 wrote to memory of 5040 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2716 wrote to memory of 5716 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2716 wrote to memory of 5716 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 408 wrote to memory of 4476 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 408 wrote to memory of 4476 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1576 wrote to memory of 4404 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1576 wrote to memory of 4404 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 6136 wrote to memory of 5076 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 6136 wrote to memory of 5076 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3456 wrote to memory of 4332 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3456 wrote to memory of 4332 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3648 wrote to memory of 716 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3648 wrote to memory of 716 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 5260 wrote to memory of 1324 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 5260 wrote to memory of 1324 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 400 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 400 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 636 wrote to memory of 1232 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 636 wrote to memory of 1232 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\Music\xdwdXAMPP.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo 5 /tn "Autodesk AutoCAD" /tr "C:\Users\Admin\Music\xdwdXAMPP.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe"' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft Project" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdFileZilla Upgrade.exe" /RL HIGHEST

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa397b055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 model-dt.gl.at.ply.gg udp
US 147.185.221.19:61584 model-dt.gl.at.ply.gg tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 147.185.221.19:61584 model-dt.gl.at.ply.gg tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 147.185.221.19:61584 model-dt.gl.at.ply.gg tcp
US 147.185.221.19:61584 model-dt.gl.at.ply.gg tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/400-0-0x0000000000B50000-0x0000000000B98000-memory.dmp

memory/400-1-0x00007FFA58B13000-0x00007FFA58B15000-memory.dmp

memory/400-23-0x00007FFA58B10000-0x00007FFA595D1000-memory.dmp

C:\Windows\xdwd.dll

MD5 16e5a492c9c6ae34c59683be9c51fa31
SHA1 97031b41f5c56f371c28ae0d62a2df7d585adaba
SHA256 35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA512 20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

memory/400-118-0x00007FFA58B13000-0x00007FFA58B15000-memory.dmp

memory/400-267-0x00007FFA58B10000-0x00007FFA595D1000-memory.dmp

memory/400-299-0x000000001DA20000-0x000000001DA96000-memory.dmp

memory/400-300-0x0000000002D90000-0x0000000002D9C000-memory.dmp

memory/400-301-0x000000001D270000-0x000000001D28E000-memory.dmp

memory/400-799-0x0000000002D80000-0x0000000002D8C000-memory.dmp

memory/1536-809-0x000002D71A580000-0x000002D71A5A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_orfpumdo.d22.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\pukexngq.dxx.exe

MD5 a9d32c2ea6c4957e4bfef9fb0dabd8d8
SHA1 5dac99e3da8846602382c57a3fc24ccc4613ea20
SHA256 d167d7de10c0a15976d2877b5ce0bae62f1c9825e07880c58a1a3e01d2126144
SHA512 b88f6707dda39ea2c509e6ae050339c054648fa0dd5d5385b53bb75f7f3a3feacdf69f580796701d7cc45e779456da4205f466352779ab0a0616581c7615b31e

memory/3972-913-0x0000000000400000-0x0000000000474000-memory.dmp

memory/400-914-0x00007FFA58B10000-0x00007FFA595D1000-memory.dmp