Malware Analysis Report

2024-08-06 13:11

Sample ID 240615-cyr64swene
Target dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe
SHA256 dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9
Tags
remcos kgb-2024 discovery execution persistence rat asyncrat njrat default t1-2024 evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9

Threat Level: Known bad

The file dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe was found to be: Known bad.

Malicious Activity Summary

remcos kgb-2024 discovery execution persistence rat asyncrat njrat default t1-2024 evasion trojan

Remcos

njRAT/Bladabindi

AsyncRat

Detects executables packed with or use KoiVM

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects file containing reversed ASEP Autorun registry keys

Modifies Windows Firewall

Drops startup file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Command and Scripting Interpreter: JavaScript

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
JavaScript
T1059.007
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Create or Modify System Process
T1543
Windows Service
T1543.003
Defense Evasion
TA0005
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 02:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 02:29

Reported

2024-06-15 02:32

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with or use KoiVM

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4536 set thread context of 4760 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe N/A
File created C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001" C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3364 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3364 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3364 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe
PID 3364 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe
PID 3068 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe C:\Windows\System32\cmd.exe
PID 3068 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe C:\Windows\System32\cmd.exe
PID 3068 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe C:\Windows\system32\cmd.exe
PID 4340 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4340 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 992 wrote to memory of 1824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 992 wrote to memory of 1824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3364 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Windows\SysWOW64\WScript.exe
PID 3364 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Windows\SysWOW64\WScript.exe
PID 3364 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Windows\SysWOW64\WScript.exe
PID 3364 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Windows\SysWOW64\WScript.exe
PID 3364 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Windows\SysWOW64\WScript.exe
PID 3364 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Windows\SysWOW64\WScript.exe
PID 4340 wrote to memory of 4536 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4340 wrote to memory of 4536 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4536 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 4536 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 4536 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 4536 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 4536 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 4536 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 4536 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 4536 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 4536 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 4536 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 4536 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 4536 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
PID 3192 wrote to memory of 2968 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2968 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4060 wrote to memory of 4740 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4060 wrote to memory of 4740 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2704 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2704 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4060 wrote to memory of 2552 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4060 wrote to memory of 2552 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2292 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2292 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4060 wrote to memory of 760 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4060 wrote to memory of 760 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2748 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2748 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4060 wrote to memory of 1384 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4060 wrote to memory of 1384 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe

"C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe"

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

"C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD2F0.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AS06078677.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NJ01255J56N.vbe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\GqLxCamcmuecCDK.js"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VrgqtQUHrnKFhjZ.js"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 alice2019.myftp.biz udp
US 8.8.8.8:53 alice2019.myftp.biz udp
US 8.8.8.8:53 alice2019.myftp.biz udp
US 8.8.8.8:53 alice2019.myftp.biz udp
US 8.8.8.8:53 alice2019.myftp.biz udp
US 8.8.8.8:53 alice2019.myftp.biz udp
US 8.8.8.8:53 alice2019.myftp.biz udp
US 8.8.8.8:53 alice2019.myftp.biz udp
US 8.8.8.8:53 alice2019.myftp.biz udp

Files

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

MD5 5a52b411f3db447064b7d2979d5097b9
SHA1 9c4160400f4bece54016d2f051ca60c0aef49900
SHA256 50c728125c297e0bd5eaada1364e8ba6eb1089ec2a346853674cd61c87d02633
SHA512 a3c28c46854131a1008d42677dfccb92593dff29e5afa0f2a32123707c910708f576e37693c4d0b3351ea12a2f2e8fb322f11b302261e98892e022131a637693

memory/3364-37-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe

MD5 a67096ecdb3b5cc32bf144bf529fe34b
SHA1 a1573f9996118d6694713df29588fae6f74c80bc
SHA256 1a7d7118f2c444892977059530bb21f2f6faced32abc328bc11dedd26e83f30d
SHA512 dba1224aa8e2da7d863283b5301d36a38a87b501d5b0ad24b340baf90e8b41a600b52f7c362be0f950c8a109b1ef82dd00b312a1f1ea62eecc800c169d3ef6cd

memory/3068-50-0x00007FFB54913000-0x00007FFB54915000-memory.dmp

memory/3068-51-0x000002364AA40000-0x000002364AA4C000-memory.dmp

memory/3068-52-0x00000236652A0000-0x0000023665316000-memory.dmp

memory/3068-53-0x0000023664FB0000-0x0000023664FCE000-memory.dmp

memory/3068-54-0x0000023665FE0000-0x00000236660B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD2F0.tmp.bat

MD5 9b9d114b3ee31b12457cbfe8e9d267e6
SHA1 7c7682f5c24abc34f2a47b67aebd360ee8be74a6
SHA256 aebf14ee9d5e9335a21a60d73a537caaff2068528c0baa2deeb908e55ded3cb1
SHA512 24e1e63c448364172cdca6612d906b9752cacd6d855c11283b504d65ea30df397cdf9431a9cdff02feee3efb10f32d17d892397de609702ed1d3e1c819e24fd6

C:\Users\Admin\AppData\Local\Temp\AS06078677.vbe

MD5 7367c6fff631bb37a04feca2210f9945
SHA1 12352e7840bd2325460405b0b9ad4b79b2b937d6
SHA256 1fd46a47648622aa015afa8737730ceee277a1fd1c559299c4cc9841ef84b8f8
SHA512 860de410e6e727bf17277c69e4e7ad274a53f6e976e925ed3bb57a69e8c494d2743bbe005033c48a24b1730e5a0ddec01d07a61b619e8a629202592f5eb356fa

C:\Users\Admin\AppData\Local\Temp\NJ01255J56N.vbe

MD5 48d5da926416022ba34dd223d7fbf9dc
SHA1 4c8515d1a296f1d8034710c9b76366330b8ad034
SHA256 eef51f080c4d9c88a5ce974d425439e212448ae13cdf99a376500e54c43983f8
SHA512 14f19040de43fb5c46d03fa97411ca04885c7cd41d5880fc60de2b960ca0a02b6741d24741c7ba109925ef0ef525d2127a73614983eed367f6ae446acd05b7e9

memory/3364-67-0x0000000000400000-0x0000000000448000-memory.dmp

memory/4760-71-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4760-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4760-73-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VrgqtQUHrnKFhjZ.js

MD5 71eb92bf16735ebe68cc72b2dbb353d2
SHA1 894dd8ccd69e90e9e90004c03ec6da38046e8e60
SHA256 d975547e7b145e886994193908fa3b614477307377cf85916262ffc775d32d4a
SHA512 0e052ca1e187fa6224788f75608908f1c89b56f10df383464b12f48c13378d90fe187a9b09a6fed05905c4d81f11b49135b4b64195d7e95b55035336943571c8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\GqLxCamcmuecCDK.js

MD5 e0f7f672609bf2742e5bbf962075af22
SHA1 f0fe7fea0d046268d72842a8722998951cdf2565
SHA256 7cbe95ce91b25f845bf0bed8eb52e173f52605da4454b9a4d03b6e5698a1f6f9
SHA512 0d0256ce8d07171b0656e6ba3a62651ea2ed99cdb49e3953634da5faef8ad0df176584aa5c852dde18c17ae7236053cb2531fdfe3d3a72c8f171d763a1fc4712

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 64de9a335f6abfd0a22da4935b0db14a
SHA1 b743656b4290752ce6ec7e1cea4a775528367c98
SHA256 70ea48efbba3077d62d6f3be1e774ea4e6af1a60da5f45ae70e70eb54bef594c
SHA512 7bc854e7f9310f11b1bccb8132b172e86e492aab65071bb2ed4245639e5cc6a9a8e27de39d61c588c098ce92a562688f6c4ff8ecb163f69a955d9210d257047f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7ff544806c6e8e01e8760de5391178b8
SHA1 a523315f3c56417451d9d2c78c2671ebaebd0475
SHA256 0444f687e9462940f651a51281c8948e56b94a34195356ea762d0e72f7fa17a2
SHA512 0eb74da444fc58cd222358ed22650aea77c1e51c16fad604d2285f35e384e173d58b56a66213456497d7b4cfe5a1f0402f2e66679ee56b93d3c3aeea4ad3877b

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5yydpvw4.0p2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2968-93-0x00000279BFC00000-0x00000279BFC22000-memory.dmp

memory/4740-103-0x000001B977C30000-0x000001B977C74000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 a26df49623eff12a70a93f649776dab7
SHA1 efb53bd0df3ac34bd119adf8788127ad57e53803
SHA256 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512 e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 eb64b8613c1e2703dd8d80a5e5216712
SHA1 8990988915ec3f2cfbdb178c000923cf8f3fac13
SHA256 d5d056a22471fdbaff515146ea571dbb50a2c43afcacf126a1432573052bdae0
SHA512 1e131a5fd42f3a11088da5a4ef2228dafa9c59040f29f2c26bc552a41f289199deffacb05ad04e6a9b6261834c6ce25ea670e0bd6ff55d786d1cb9b98ad5c5d1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ce3ea427b3914c3c7c4f60d290e2d45b
SHA1 a89d8fe70417e862dce75af39f417d970614cbc2
SHA256 5397717aec96bcbf9784bd0dd6ed2e1e245a30fc418584823f25494ed35e00dd
SHA512 4a4a82846493fc6de75d2d4cd46def86288074e11dd26de78ba97364efd2d580cc73989331b6798e1c6c39c1364780bff0f40466b0f0b91b3b6ee4d5620d7cb4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 09607ce32d37ef7bf735a66b084b7a64
SHA1 4ed9c47f6cf8876bb871c0f48a8c356226d67a7b
SHA256 5b30ef747ab25092fdaf877c7c5baa87467f106b30b5aec9599790451adb39a5
SHA512 429636888e62d26d5b12b2999931754fca74ac10cb3a2607a91fefd7842acf86583d4295274ab59c3987f3d0c5243740c3048206e7530859b5168673564501cc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 1f5105fddb9896eefdaeb4d90f138f3c
SHA1 f1f1000a042e91058ec389704bd37d90aaa011b8
SHA256 dc383e07dd9e84cc1f74434c527006650d008df104b538315319500b696718fe
SHA512 eff4402c6b008ad6a3722ff7c73d4135dfc659c079cbfe06d29cb3299968de9ca3802024a9aeba9b867a766258a0b25cd0cbf99395fab50abc2827ba34009fc6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 f638625b07d474f41cf22ec62f4fa8f3
SHA1 098a4545210d98ebfebfe85e0d1d7fad445499dd
SHA256 2d20428ce2e7fff0df5b24cc235be3555eafd3ab055c169d884bbdfe3d36c643
SHA512 5c0d3e1b2883e1069c77e68ef84ee782c99f37cf1182702b3e7171666bf3ac6b14bc90ef2e03709af41620a821bac1a4d6c292979678420eaf7da5800eee4423

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d58f62ef177de3093fb8f93377121f3e
SHA1 758bda61b2a3b7d48f5ceea42394acb27b61511b
SHA256 b1bc5bb1b53be95d174ac5f5e37d29392bf92d1b7f1f6df7dcdd9526fbca9193
SHA512 77671d8e8044f3ff47bae46d1006c18f358880dfb87cd44178aabeccc8c70958048dfffd062b457b5574da373d38046cd393f07d71b8892d31c206321032340e

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 02:29

Reported

2024-06-15 02:32

Platform

win7-20240220-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe"

Signatures

AsyncRat

rat asyncrat

Remcos

rat remcos

njRAT/Bladabindi

trojan njrat

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with or use KoiVM

Description Indicator Process Target
N/A N/A N/A N/A

Detects file containing reversed ASEP Autorun registry keys

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AddInProcess32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2768 set thread context of 2076 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2272 set thread context of 404 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\RegSvcs.exe
PID 2620 set thread context of 1280 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\AddInProcess32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe N/A
File created C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001" C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3032 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3032 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3032 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3032 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3032 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3032 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3032 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe
PID 3032 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe
PID 3032 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe
PID 3032 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe
PID 1892 wrote to memory of 356 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe C:\Windows\System32\cmd.exe
PID 1892 wrote to memory of 356 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe C:\Windows\System32\cmd.exe
PID 1892 wrote to memory of 356 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe C:\Windows\System32\cmd.exe
PID 1892 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe C:\Windows\system32\cmd.exe
PID 356 wrote to memory of 2168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 356 wrote to memory of 2168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 356 wrote to memory of 2168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3032 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Windows\SysWOW64\WScript.exe
PID 3032 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Windows\SysWOW64\WScript.exe
PID 3032 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Windows\SysWOW64\WScript.exe
PID 3032 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Windows\SysWOW64\WScript.exe
PID 1876 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1876 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1876 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3032 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Windows\SysWOW64\WScript.exe
PID 3032 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Windows\SysWOW64\WScript.exe
PID 3032 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Windows\SysWOW64\WScript.exe
PID 3032 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe C:\Windows\SysWOW64\WScript.exe
PID 1876 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1876 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1876 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2768 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\calc.exe
PID 2768 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\calc.exe
PID 2768 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\calc.exe
PID 2768 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\calc.exe
PID 2768 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\calc.exe
PID 2768 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\calc.exe
PID 2768 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\calc.exe
PID 2768 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\calc.exe
PID 2768 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\calc.exe
PID 2768 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\calc.exe
PID 2768 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\calc.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\WerFault.exe
PID 2768 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\WerFault.exe
PID 2768 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\WerFault.exe
PID 3004 wrote to memory of 2240 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WScript.exe
PID 3004 wrote to memory of 2240 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WScript.exe
PID 3004 wrote to memory of 2240 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe

"C:\Users\Admin\AppData\Local\Temp\dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe"

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

"C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp405A.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AS06078677.vbe"

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NJ01255J56N.vbe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\calc.exe

"C:\Windows\System32\calc.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2768 -s 784

C:\Windows\system32\taskeng.exe

taskeng.exe {BFD681FA-B537-42C4-84A0-159E13816476} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VrgqtQUHrnKFhjZ.js"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\GqLxCamcmuecCDK.js"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\conhost.exe

"C:\Windows\system32\conhost.exe" -Force

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Users\Admin\AppData\Roaming\RegSvcs.exe

"C:\Users\Admin\AppData\Roaming\RegSvcs.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -Command "Get-ScheduledTask | Where-Object { $_.TaskPath -eq '\' } | Format-List"

C:\Windows\system32\wermgr.exe

"C:\Windows\system32\wermgr.exe" "-outproc" "2904" "1132"

C:\Windows\system32\wermgr.exe

"C:\Windows\system32\wermgr.exe" "-outproc" "1456" "1132"

C:\Windows\system32\wermgr.exe

"C:\Windows\system32\wermgr.exe" "-outproc" "2944" "828"

C:\Windows\system32\wermgr.exe

"C:\Windows\system32\wermgr.exe" "-outproc" "2272" "1004"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\RegSvcs.exe" "RegSvcs.exe" ENABLE

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\GqLxCamcmuecCDK.js"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VrgqtQUHrnKFhjZ.js"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Users\Admin\AppData\Roaming\AddInProcess32.exe

"C:\Users\Admin\AppData\Roaming\AddInProcess32.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -Command "Get-ScheduledTask | Where-Object { $_.TaskPath -eq '\' } | Format-List"

C:\Windows\system32\wermgr.exe

"C:\Windows\system32\wermgr.exe" "-outproc" "2620" "1176"

C:\Windows\system32\wermgr.exe

"C:\Windows\system32\wermgr.exe" "-outproc" "2216" "1132"

C:\Windows\system32\wermgr.exe

"C:\Windows\system32\wermgr.exe" "-outproc" "824" "1136"

Network

Country Destination Domain Proto
US 8.8.8.8:53 alice2019.myftp.biz udp
US 107.175.31.172:2525 alice2019.myftp.biz tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 107.175.31.172:5552 alice2019.myftp.biz tcp
US 107.175.31.172:5552 alice2019.myftp.biz tcp
US 8.8.8.8:53 alice2019.myftp.biz udp
US 107.175.31.172:7707 alice2019.myftp.biz tcp
US 8.8.8.8:53 www.microsoft.com udp
US 107.175.31.172:7707 alice2019.myftp.biz tcp

Files

\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

MD5 5a52b411f3db447064b7d2979d5097b9
SHA1 9c4160400f4bece54016d2f051ca60c0aef49900
SHA256 50c728125c297e0bd5eaada1364e8ba6eb1089ec2a346853674cd61c87d02633
SHA512 a3c28c46854131a1008d42677dfccb92593dff29e5afa0f2a32123707c910708f576e37693c4d0b3351ea12a2f2e8fb322f11b302261e98892e022131a637693

C:\Users\Admin\AppData\Local\Temp\Cab2760.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar283E.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\425AD1552F0102S5D5F.exe

MD5 a67096ecdb3b5cc32bf144bf529fe34b
SHA1 a1573f9996118d6694713df29588fae6f74c80bc
SHA256 1a7d7118f2c444892977059530bb21f2f6faced32abc328bc11dedd26e83f30d
SHA512 dba1224aa8e2da7d863283b5301d36a38a87b501d5b0ad24b340baf90e8b41a600b52f7c362be0f950c8a109b1ef82dd00b312a1f1ea62eecc800c169d3ef6cd

memory/1892-107-0x00000000003D0000-0x00000000003DC000-memory.dmp

memory/1892-108-0x000000001C060000-0x000000001C134000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp405A.tmp.bat

MD5 91d34699de1f57f6e06f2c4425774d88
SHA1 5c7cecbf5813dfed02a8cb3175b9314630d41bf5
SHA256 8e9e89fa4a61fda5ef50696b6afe0687bb18fa45de804df2ca455c8bf73fd5c0
SHA512 09756209b2184245484261560020c25c67ae5e21dcec356347e4613d07a2b50a2f1324b287ec70abe45293acc30266546bc46a9044602814f5a2d2c251d35366

C:\Users\Admin\AppData\Local\Temp\NJ01255J56N.vbe

MD5 48d5da926416022ba34dd223d7fbf9dc
SHA1 4c8515d1a296f1d8034710c9b76366330b8ad034
SHA256 eef51f080c4d9c88a5ce974d425439e212448ae13cdf99a376500e54c43983f8
SHA512 14f19040de43fb5c46d03fa97411ca04885c7cd41d5880fc60de2b960ca0a02b6741d24741c7ba109925ef0ef525d2127a73614983eed367f6ae446acd05b7e9

C:\Users\Admin\AppData\Local\Temp\AS06078677.vbe

MD5 7367c6fff631bb37a04feca2210f9945
SHA1 12352e7840bd2325460405b0b9ad4b79b2b937d6
SHA256 1fd46a47648622aa015afa8737730ceee277a1fd1c559299c4cc9841ef84b8f8
SHA512 860de410e6e727bf17277c69e4e7ad274a53f6e976e925ed3bb57a69e8c494d2743bbe005033c48a24b1730e5a0ddec01d07a61b619e8a629202592f5eb356fa

memory/3032-124-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2768-130-0x0000000000220000-0x000000000022C000-memory.dmp

memory/1284-131-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1284-135-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1284-145-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1284-143-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1284-139-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1284-137-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1284-133-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1284-142-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2076-147-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\GqLxCamcmuecCDK.js

MD5 e0f7f672609bf2742e5bbf962075af22
SHA1 f0fe7fea0d046268d72842a8722998951cdf2565
SHA256 7cbe95ce91b25f845bf0bed8eb52e173f52605da4454b9a4d03b6e5698a1f6f9
SHA512 0d0256ce8d07171b0656e6ba3a62651ea2ed99cdb49e3953634da5faef8ad0df176584aa5c852dde18c17ae7236053cb2531fdfe3d3a72c8f171d763a1fc4712

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VrgqtQUHrnKFhjZ.js

MD5 71eb92bf16735ebe68cc72b2dbb353d2
SHA1 894dd8ccd69e90e9e90004c03ec6da38046e8e60
SHA256 d975547e7b145e886994193908fa3b614477307377cf85916262ffc775d32d4a
SHA512 0e052ca1e187fa6224788f75608908f1c89b56f10df383464b12f48c13378d90fe187a9b09a6fed05905c4d81f11b49135b4b64195d7e95b55035336943571c8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7a45c3e17bf934129de6694d8c2b2323
SHA1 4d1f1e82dad6c385b0b7d4c0264228abce8010ab
SHA256 1e48e29a08e6739e2f7c23401e334433f002138ba69673880a530c6d677de98e
SHA512 9a541d39294d90686d9fd8370fee890dcdcb4076ac2797e83799c795d843dbc9bd04cd07554f33fa94ef529989b5e608cf9093939f81983af11440eb427d7a6e

memory/2904-165-0x000000001B620000-0x000000001B902000-memory.dmp

memory/2904-166-0x0000000001D30000-0x0000000001D38000-memory.dmp

memory/2272-177-0x0000000002A70000-0x0000000002A78000-memory.dmp

memory/2272-178-0x0000000002930000-0x000000000293C000-memory.dmp

memory/404-183-0x0000000000400000-0x000000000040E000-memory.dmp

memory/404-184-0x0000000000400000-0x000000000040E000-memory.dmp

memory/404-186-0x0000000000400000-0x000000000040E000-memory.dmp

memory/404-190-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/404-188-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Roaming\RegSvcs.exe

MD5 d79f070423fdd3f01ce8c2ba3fbbc8ed
SHA1 2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8
SHA256 97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a
SHA512 47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

memory/404-191-0x0000000000400000-0x000000000040E000-memory.dmp

memory/404-193-0x0000000000400000-0x000000000040E000-memory.dmp

memory/404-194-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259451263.txt

MD5 28d104848ecad2a1983221a63e7c48df
SHA1 d79003c838da6472ff94aa9414816b3bd90972c4
SHA256 3174d4020cf50a9a279ff25b51ab576a51517e33596a61c48eef1e68284dedf0
SHA512 b7bd68660d433f481a9365cee1d5e0cd547b130eaa4ae6df7ef1965a0a234bf6f617dfadfbbb12d5be6727699422163262f52975aabbfc08eda59cdb1a8f4ca4

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259449918.txt

MD5 b97b5d931ca8ff5ea797b3537e130590
SHA1 faa187d2c7325bd3f6beb4ae6cebe9ced7994c78
SHA256 c78b02f732ce52360de4301e2d160fae29c7f5311909175fccd91858150f9b88
SHA512 f0c2be262a559b451ac44c9c76e1a59c9bfa14393379ce8802adf779626af32454c162574047519f21b509868530189fd22e12bd8f3ed42a0ac3a28ca18886fa

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259450775.txt

MD5 6f3cce989c87fede685c4d978c465d94
SHA1 e0cfc59f1b0e6753a1a0156da6d75ca30fe5bf29
SHA256 e54e3cea9d9983b6098c339ebbca237d1ca4f564b83522b05da9ec6465e15b20
SHA512 ddc1079d8cde556f2160b0e00c43fc96b5c5df4d0ae4e3ff69ea15b3f4e18c6ab9e8d0b65844b6acf95993153086c2219ed25ef6477ab61b85436c9586a060ac

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259450718.txt

MD5 adad2cb50c17ebe30efe5693c2b2cc23
SHA1 efad8e4d4f0fba435369dcfce4fc36f9cf7c948a
SHA256 450ce77365d9521a8b66e9c8c850840eb0d2033b64b9ebc9fd84cdfe9e704169
SHA512 b963f6b444488c30e3fb6ed581b0c4a034ce0569d63aac5863f32c64d1032314bfe6a7e2f150b06bf2cf2c8b2d6dd4bc7df355518e69e3a1ece03b0f0ff9b9d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 41bba0c4f9bf11f39dff57a23d2ce025
SHA1 67775b9b22cd0b588cb1015a240e2a2a04e17d35
SHA256 461fe9285596f4928528858389ecd0f2da8511390b542f593fb22e0e65f0553f
SHA512 6106fd7770b91e31e1493bc6b2898aa0aa56c25d2e61276b741b4405f7eae3c9258c66ddd434df0ad19d0745f2d32f1bc0a18b8f704b972c9d0f09693ee1ebe5

memory/2620-214-0x000000001B640000-0x000000001B922000-memory.dmp

memory/2620-215-0x0000000002720000-0x0000000002728000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1280-231-0x0000000000080000-0x0000000000092000-memory.dmp

memory/1280-234-0x0000000000080000-0x0000000000092000-memory.dmp

memory/1280-235-0x0000000000080000-0x0000000000092000-memory.dmp

memory/1280-237-0x0000000000080000-0x0000000000092000-memory.dmp

memory/1280-239-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1280-242-0x0000000000080000-0x0000000000092000-memory.dmp

memory/1280-249-0x0000000000080000-0x0000000000092000-memory.dmp

memory/1280-246-0x0000000000080000-0x0000000000092000-memory.dmp

C:\Users\Admin\AppData\Roaming\AddInProcess32.exe

MD5 6a673bfc3b67ae9782cb31af2f234c68
SHA1 7544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256 978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA512 72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259523469.txt

MD5 344548a31dc47f7e4cf923fae6312e61
SHA1 9b1bdf79949d7011075fc4d87977b483f715efdb
SHA256 74fdeadc4599685577ff2b793c0ff5e0bdc12d30fd037712fe4303c6f4aea7d5
SHA512 c611e055362234c6c1c59b4e35d6863361d9dc1590acf741589f31af4f1e69a2f9308970f24172cd05f70af931219ab9756a52622194a67ef959c45f0859fa76

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259525369.txt

MD5 844214bed049357b264af72c94fe1479
SHA1 6016a8f71e60d25696d7a600d6e0b9090217fa37
SHA256 cd06f9345cf7b50e0d33883f72556e5d33ad203f38abbc02c24b61ffaa75a999
SHA512 4bc2cd06da23ae2b0f9729031223558c3b629c6dc93644e23e0f4a71fead2f09604a27a59e109adf0204fdf19784470d1286b77c05e36dfa3d3c84a7f4d1bc97

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259522921.txt

MD5 127e6280feabc5f7ffa5fab6e9fef870
SHA1 2142fab5c7ed406ef3fa19280279b54240b7d789
SHA256 7c84b6e2f3d2857d0f2df548a68faa5b83ce3fabc9771e501081d0e24e7f9439
SHA512 9e7dfc73e742c1ce4a63d0f4e4b7027626919b6917831571399e7ce120004dd5beb51a18744a4269be85aa59861103ccfc7ea4cef0e800ad11ee1abe34248924

C:\Users\Admin\AppData\Local\Temp\Tar1DAF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 983b355fb8ae6f4de768f77e963e9f12
SHA1 8291ae8368d91e71fd13364a986f486605dc916c
SHA256 4b4e15d6eda271ebe75f10be5c6bc8c1bd0a262bc02b4e1a832bf5b9e788c1a2
SHA512 d8ab848204dae4a42eb82aa5732997dcdc36842df564f06a78243c4a33637d06c6acfe633a572260a9f2a1c4857bda446905da69be77f0aca39479402a9b8bda

memory/1280-285-0x00000000058C0000-0x0000000005928000-memory.dmp