Description	Indicator	Process	Target
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	C:\Windows\system32\taskmgr.exe	N/A
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	C:\Windows\system32\taskmgr.exe	N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	C:\Windows\system32\taskmgr.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	C:\Windows\system32\taskmgr.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	C:\Windows\system32\taskmgr.exe	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\schtasks.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A

Suspicious behavior: GetForegroundWindowSpam

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\Explorer.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\wzD.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\Explorer.EXE	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\Explorer.EXE	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\Explorer.EXE	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\Explorer.EXE	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\Explorer.EXE	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\Explorer.EXE	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\Explorer.EXE	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\Explorer.EXE	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\system32\taskmgr.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\system32\taskmgr.exe	N/A
Token: SeCreateGlobalPrivilege	N/A	C:\Windows\system32\taskmgr.exe	N/A
Token: SeAuditPrivilege	N/A	c:\windows\system32\svchost.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\Explorer.EXE	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\Explorer.EXE	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\dwm.exe	N/A
N/A	N/A	C:\Windows\system32\dwm.exe	N/A
N/A	N/A	C:\Windows\system32\dwm.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\Explorer.EXE	N/A
N/A	N/A	C:\Windows\Explorer.EXE	N/A
N/A	N/A	C:\Windows\system32\dwm.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A

Suspicious use of SendNotifyMessage

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\Explorer.EXE	N/A
N/A	N/A	C:\Windows\Explorer.EXE	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A
N/A	N/A	C:\Windows\Explorer.EXE	N/A
N/A	N/A	C:\Windows\Explorer.EXE	N/A
N/A	N/A	C:\Windows\Explorer.EXE	N/A
N/A	N/A	C:\Windows\Explorer.EXE	N/A
N/A	N/A	C:\Windows\Explorer.EXE	N/A
N/A	N/A	C:\Windows\Explorer.EXE	N/A
N/A	N/A	C:\Windows\Explorer.EXE	N/A
N/A	N/A	C:\Windows\Explorer.EXE	N/A
N/A	N/A	C:\Windows\Explorer.EXE	N/A
N/A	N/A	C:\Windows\Explorer.EXE	N/A
N/A	N/A	C:\Windows\system32\taskmgr.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\Conhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\wzD.exe	N/A
N/A	N/A	C:\Windows\Explorer.EXE	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2908 wrote to memory of 4644	N/A	C:\Users\Admin\AppData\Local\Temp\WZDigit.exe	C:\Users\Admin\AppData\Roaming\wzF.exe
PID 2908 wrote to memory of 4644	N/A	C:\Users\Admin\AppData\Local\Temp\WZDigit.exe	C:\Users\Admin\AppData\Roaming\wzF.exe
PID 2908 wrote to memory of 4208	N/A	C:\Users\Admin\AppData\Local\Temp\WZDigit.exe	C:\Users\Admin\AppData\Local\Temp\wzD.exe
PID 2908 wrote to memory of 4208	N/A	C:\Users\Admin\AppData\Local\Temp\WZDigit.exe	C:\Users\Admin\AppData\Local\Temp\wzD.exe
PID 4644 wrote to memory of 560	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\system32\winlogon.exe
PID 4644 wrote to memory of 640	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\system32\lsass.exe
PID 4644 wrote to memory of 724	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 900	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1000	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\system32\dwm.exe
PID 4644 wrote to memory of 304	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 360	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 688	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1064	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1088	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1172	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1216	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1236	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1248	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1372	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1436	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1464	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1496	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1536	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1580	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1652	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\System32\svchost.exe
PID 4644 wrote to memory of 1740	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\System32\svchost.exe
PID 4644 wrote to memory of 1752	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\system32\svchost.exe
PID 4644 wrote to memory of 1760	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1852	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1880	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 1956	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\System32\spoolsv.exe
PID 4644 wrote to memory of 1624	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 2156	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 2288	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 2304	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 2316	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 2348	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 2408	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\sysmon.exe
PID 4644 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 2556	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 2572	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 2972	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 2980	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\system32\wbem\unsecapp.exe
PID 4644 wrote to memory of 3172	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 3180	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\sihost.exe
PID 4644 wrote to memory of 3232	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\taskhostw.exe
PID 4644 wrote to memory of 3308	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 3440	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\Explorer.EXE
PID 4644 wrote to memory of 3956	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\System32\RuntimeBroker.exe
PID 4644 wrote to memory of 4148	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\system32\DllHost.exe
PID 4644 wrote to memory of 4932	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 3840	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 3344	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\system32\svchost.exe
PID 4644 wrote to memory of 3404	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
PID 4644 wrote to memory of 4420	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	c:\windows\system32\svchost.exe
PID 4644 wrote to memory of 4828	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\system32\DllHost.exe
PID 4644 wrote to memory of 4848	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\system32\ApplicationFrameHost.exe
PID 4644 wrote to memory of 3608	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\System32\InstallAgent.exe
PID 4644 wrote to memory of 3964	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\system32\DllHost.exe
PID 4644 wrote to memory of 4208	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Users\Admin\AppData\Local\Temp\wzD.exe
PID 4644 wrote to memory of 4768	N/A	C:\Users\Admin\AppData\Roaming\wzF.exe	C:\Windows\system32\taskmgr.exe
PID 640 wrote to memory of 2408	N/A	C:\Windows\system32\lsass.exe	C:\Windows\sysmon.exe
PID 3440 wrote to memory of 4768	N/A	C:\Windows\Explorer.EXE	C:\Windows\system32\taskmgr.exe
PID 3440 wrote to memory of 4768	N/A	C:\Windows\Explorer.EXE	C:\Windows\system32\taskmgr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s gpsvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Schedule

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s nsi

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s EventSystem

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Themes

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s SENS

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s UserManager

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s NlaSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s netprofm

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k appmodel -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s CryptSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s WpnService

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Browser

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc

c:\windows\system32\sihost.exe

sihost.exe

c:\windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s CDPSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe -Embedding

C:\Windows\System32\InstallAgent.exe

C:\Windows\System32\InstallAgent.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Users\Admin\AppData\Local\Temp\WZDigit.exe

"C:\Users\Admin\AppData\Local\Temp\WZDigit.exe"

C:\Users\Admin\AppData\Roaming\wzF.exe

"C:\Users\Admin\AppData\Roaming\wzF.exe"

C:\Users\Admin\AppData\Local\Temp\wzD.exe

"C:\Users\Admin\AppData\Local\Temp\wzD.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wzD" /tr "C:\Users\Admin\AppData\Roaming\wzD.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	rentry.co	udp
US	172.67.75.40:443	rentry.co	tcp
US	8.8.8.8:53	40.75.67.172.in-addr.arpa	udp

Files

memory/2908-0-0x0000000073ADE000-0x0000000073ADF000-memory.dmp

memory/2908-1-0x00000000001F0000-0x0000000000214000-memory.dmp

memory/2908-2-0x00000000024F0000-0x0000000002514000-memory.dmp

memory/2908-3-0x0000000002640000-0x000000000265C000-memory.dmp

memory/2908-4-0x0000000073AD0000-0x00000000741BE000-memory.dmp

memory/2908-5-0x0000000004B80000-0x0000000004C1C000-memory.dmp

C:\Users\Admin\AppData\Roaming\wzF.exe

MD5	d25c06b1faded0dcee1c9a3209346533
SHA1	8b11671969304ecc8e05193e4dee174083cc70b2
SHA256	269ce80d61b6e86e8e41ea1d8987bb896b2900e08ac2c0beb59eade852d22069
SHA512	256ab6f943aeb5d4fe818bc7ee0fcfd478788314d922ead53f5c52781b7a4da6f80d06bb281a5f2b9d8b7d08314ea360e2573470d3fe933fa97c0a6f680e68c4

C:\Users\Admin\AppData\Local\Temp\wzD.exe

MD5	8753e12c3610eb37f04768260963ffe7
SHA1	15910a6c40fb92f9b96341e5cadaf179da566b14
SHA256	b47e26133f22f39cde5da59a60aeb12a68f190e49b68e936a4f77afeb05ac09c
SHA512	20652265b2208df9c6668a8eb5b0af3bdccc45ab7646eaaa99a4e4b896e845a3db466d9eacdd6e8bd5a47fd9957f16e3bf44f06ace27909224dacd05c0448770

memory/4644-20-0x00007FFA0F5A0000-0x00007FFA0F64E000-memory.dmp

memory/4644-18-0x00007FFA0F650000-0x00007FFA0F82B000-memory.dmp

memory/4644-22-0x00007FFA0F650000-0x00007FFA0F82B000-memory.dmp

memory/4208-23-0x00007FFA0F650000-0x00007FFA0F82B000-memory.dmp

memory/4208-24-0x00000000006E0000-0x00000000006F0000-memory.dmp

memory/4644-21-0x00007FFA0F651000-0x00007FFA0F75F000-memory.dmp

memory/2908-25-0x0000000073AD0000-0x00000000741BE000-memory.dmp

memory/640-32-0x00007FF9CF6E0000-0x00007FF9CF6F0000-memory.dmp

memory/3440-80-0x00007FF9CF6E0000-0x00007FF9CF6F0000-memory.dmp

memory/3440-79-0x0000000001FE0000-0x000000000200B000-memory.dmp

memory/1000-37-0x000002DD82750000-0x000002DD8277B000-memory.dmp

memory/640-31-0x000002019A5A0000-0x000002019A5CB000-memory.dmp

memory/560-28-0x00007FF9CF6E0000-0x00007FF9CF6F0000-memory.dmp

memory/560-27-0x000001ADA0DA0000-0x000001ADA0DCB000-memory.dmp

memory/560-26-0x000001ADA0D70000-0x000001ADA0D95000-memory.dmp

memory/1000-38-0x00007FF9CF6E0000-0x00007FF9CF6F0000-memory.dmp

Malware Analysis Report

2024-09-11 14:49

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Sample ID	240610-m4xnwsgh98
Target	WZDigit.exe
SHA256	ee38c97a5d83953ee830328a47c2fdd594c04b4ee97d73ca718f0553d2ee5a92
Tags	xworm rat trojan