Malware Analysis Report

2024-11-15 05:53

Sample ID 240722-tvbtdsxbkp
Target 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
SHA256 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a
Tags
rat dcrat infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a

Threat Level: Known bad

The file 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer persistence

Dcrat family

DCRat payload

Modifies WinLogon for persistence

Process spawned unexpected child process

DcRat

DCRat payload

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 16:22

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 16:22

Reported

2024-07-22 16:24

Platform

win7-20240705-en

Max time kernel

145s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\it-IT\System.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\it-IT\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\Windows\\PLA\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\Windows\\PLA\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\Windows\\PLA\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\Default User\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a = "\"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\DVD Maker\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\Default User\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\Default User\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\it-IT\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\777f1042-3af1-11ef-b4bd-d2f1755c8afd\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\PLA\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a = "\"C:\\Program Files (x86)\\Windows Portable Devices\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default User\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\DVD Maker\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\it-IT\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Journal\\ja-JP\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default User\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\PLA\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Visual Studio 8\ba72c994d5d333 C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCXC99E.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXB2DF.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files\DVD Maker\RCXC72C.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files\DVD Maker\RCXC79A.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\RCXB552.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\ba72c994d5d333 C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Program Files\DVD Maker\24dbde2999530e C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXB756.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\RCXC2B5.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files\DVD Maker\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXB2E0.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\RCXC2B6.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCXC99F.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Program Files\DVD Maker\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\RCXB4E4.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXB757.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\PLA\RCXC4BB.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Windows\it-IT\System.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Windows\it-IT\System.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Windows\it-IT\RCXB0CC.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Windows\it-IT\RCXB05D.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Windows\PLA\RCXC4BA.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Windows\PLA\dllhost.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Windows\it-IT\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Windows\PLA\dllhost.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Windows\PLA\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\cmd.exe
PID 1316 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\cmd.exe
PID 1316 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\cmd.exe
PID 2112 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2112 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2112 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2112 wrote to memory of 2240 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2112 wrote to memory of 2240 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2112 wrote to memory of 2240 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2240 wrote to memory of 1760 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2240 wrote to memory of 1760 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2240 wrote to memory of 1760 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2240 wrote to memory of 2348 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2240 wrote to memory of 2348 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2240 wrote to memory of 2348 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 1760 wrote to memory of 2964 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 1760 wrote to memory of 2964 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 1760 wrote to memory of 2964 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2964 wrote to memory of 2060 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2964 wrote to memory of 2060 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2964 wrote to memory of 2060 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2964 wrote to memory of 1652 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2964 wrote to memory of 1652 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2964 wrote to memory of 1652 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2060 wrote to memory of 3056 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2060 wrote to memory of 3056 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2060 wrote to memory of 3056 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 3056 wrote to memory of 2212 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 3056 wrote to memory of 2212 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 3056 wrote to memory of 2212 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 3056 wrote to memory of 2540 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 3056 wrote to memory of 2540 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 3056 wrote to memory of 2540 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2212 wrote to memory of 2200 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2212 wrote to memory of 2200 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2212 wrote to memory of 2200 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2200 wrote to memory of 2524 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2200 wrote to memory of 2524 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2200 wrote to memory of 2524 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2200 wrote to memory of 2384 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2200 wrote to memory of 2384 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2200 wrote to memory of 2384 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2524 wrote to memory of 2992 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2524 wrote to memory of 2992 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2524 wrote to memory of 2992 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2992 wrote to memory of 2956 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2992 wrote to memory of 2956 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2992 wrote to memory of 2956 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2992 wrote to memory of 1012 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2992 wrote to memory of 1012 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2992 wrote to memory of 1012 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2956 wrote to memory of 1832 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2956 wrote to memory of 1832 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2956 wrote to memory of 1832 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 1832 wrote to memory of 2628 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 1832 wrote to memory of 2628 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 1832 wrote to memory of 2628 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 1832 wrote to memory of 2144 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 1832 wrote to memory of 2144 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 1832 wrote to memory of 2144 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe
PID 2628 wrote to memory of 1856 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2628 wrote to memory of 1856 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 2628 wrote to memory of 1856 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe
PID 1856 wrote to memory of 2584 N/A C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

"C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a6" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a6" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a6" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a6" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PLA\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vfELjyVScz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ca00480-b941-467e-814a-54e522f61011.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf9158c1-ec3f-472f-ad32-5d22e44c125c.vbs"

C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2aeeca3-8f8c-4e6a-aeb7-915932e6733c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c332152-d620-47f3-8682-65dd035cb045.vbs"

C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a84003e-e153-42eb-917a-b1698cdd279e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30d93118-9910-4ce8-95f5-9e15357e4c33.vbs"

C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75d8087c-804b-42c6-822c-032b2c045633.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71150a3b-acf1-4c52-a97f-411fc764092e.vbs"

C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8612983c-c1d0-4543-a0f8-9ee2ffdb0cf3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\944f4eeb-8be4-4ad3-a5f7-7043880dc520.vbs"

C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73c027d4-95f0-4263-bd90-d9667b145154.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc7791cc-2ebf-4afc-944d-31c3a9fd7c21.vbs"

C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\060c69e3-8922-45be-87e9-5f60534bf0fc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67ceb8a9-9199-4256-8ff7-6afbe07971b6.vbs"

C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41176c31-eceb-404f-9920-3ce32e70f66c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bebe0fd3-b5fd-4c01-9e26-14bb44701e32.vbs"

C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\010c95fe-4b29-480e-b68a-70f9e1cd6505.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d93a4c2c-d8bf-4594-a934-a8ab63102ec8.vbs"

C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd8512e7-288f-4163-9b4c-17cfb37453ea.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\868ba458-c979-44de-8de7-e263d8d060bc.vbs"

C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b57db4fc-1272-4c1d-acff-efc70e4c0865.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55270971-521a-406d-bcbb-5adae37b2bc8.vbs"

C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d46d2ee3-0901-4a6a-bfe1-857dec79b0ce.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f53e243-be3c-44fa-967b-a3fa1860f2e9.vbs"

C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

"C:\Program Files (x86)\Windows Portable Devices\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f377bc9c-4af4-4484-8c91-0c3bb510600d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ca71227-1d98-42f2-9124-b99e23a89185.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 a1005850.xsph.ru udp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp

Files

memory/1316-0-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

memory/1316-1-0x00000000002A0000-0x00000000003FA000-memory.dmp

memory/1316-2-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

memory/1316-3-0x0000000000250000-0x000000000026C000-memory.dmp

memory/1316-4-0x0000000000270000-0x0000000000280000-memory.dmp

memory/1316-5-0x0000000000280000-0x0000000000296000-memory.dmp

memory/1316-6-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1316-7-0x0000000000420000-0x000000000042A000-memory.dmp

memory/1316-8-0x0000000000430000-0x000000000043E000-memory.dmp

memory/1316-9-0x0000000000410000-0x0000000000418000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe

MD5 f946ceb3dfbc4802323f045e77b9fc63
SHA1 04beac37360d30c5ad933f82f80bfd41ae294cc4
SHA256 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a
SHA512 7ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3

C:\Windows\it-IT\System.exe

MD5 25e3aae206a932b279a0cfab02592866
SHA1 42eb90e607c83d3e5f5e706ce446206cce2bc5e2
SHA256 d3c8e24d8fe6447c55175a8b2fa3534b00423ca3c9480f992c0b21741ed3c9db
SHA512 2344a8fe6afb1859b8f036d0eda973be2b1e5ad575449c5f4818e894c2922e4f2fbaf970b223267e6976baff6b38cd17f928351662db3d144a238adc4ca86c7b

C:\Program Files\Windows Journal\ja-JP\spoolsv.exe

MD5 079019233687f775602f6083854c0a3c
SHA1 8d96468e21fae8501972041545be493fb7bf520d
SHA256 a38dd6a3968bdbd7a9b811bd950a131434f16aedc405c1f7eef46f3a86274bab
SHA512 5fa31ef176ba33eb823dc326c53168e91d4bd63bbd2e55c770dac0cf1234c49425d6bbb424d5f9945c2dabddcaa5b052aff1e4a26b4043b1ba42ae5be8794527

C:\Users\Default\System.exe

MD5 6903e9a4b5e2768a6846ef8f45e1041f
SHA1 742b54fae1ffb097b6b0929a6b81de922720d6a6
SHA256 0def9b3c985e30721af2c5f44f047623d60511c4019cf3b7864862fa04151e1b
SHA512 b99b1a7e90edbad4531fc960244c174e6add38e542911ca29e6f226fc7a896f5c71653221fff66e92211e147b05344490f12bf34a154f9bfb677b139eb3b27c8

C:\Program Files\DVD Maker\WmiPrvSE.exe

MD5 59be1a3db10fdffe0258170ab44303e4
SHA1 1ff68ff01323f611eb96037d1709c7deaf1f1e15
SHA256 4bd3e24484aa90e5e54b83edce70c96e88c7c93522a799e41548b48d144bf27a
SHA512 8cf4d868b186b271b6b5f6f4a0d5b8c19a545feb5b8de9b1974647f736bb7c12e9cbec4188529f8cf35a5d8c0cecc9a56d5fb55e876dbc46ca00ccaea896d8ab

memory/1316-181-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vfELjyVScz.bat

MD5 6f2973cfb0fd159ba1e4a88e2662a4d5
SHA1 0e8ecd120b68034b513a8c635b829712d420e521
SHA256 b4a2217467884635f0b705d177f421db3b1dd0f3987d31244bd85487317fa513
SHA512 e3992dcae1a99c1c842dc6803eb9775e3219fa3522d5700f868871291048bf9e00cce56d7fa8491d55995a6f8117352d37c50a0d549a4ff251409bf6163ed3f1

memory/2240-185-0x0000000000C30000-0x0000000000D8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6ca00480-b941-467e-814a-54e522f61011.vbs

MD5 51ec3b379d0bb64983be5137d8ac5a56
SHA1 93d41cf25849471cd1db686305dc6c7f9d69755b
SHA256 b05f8af7f24ed683d192af012a0b4a258ca2aadde5ad43fd79947ba9184d5753
SHA512 bfdd95b9522ef4d58be7afdaf08ec5a673e34a069196c813a784676cf266efc33a0061160beb3ff057c5f220e09082312969eadd527dc89fa31c9385f68a0435

C:\Users\Admin\AppData\Local\Temp\bf9158c1-ec3f-472f-ad32-5d22e44c125c.vbs

MD5 0a7ce9f2aa9aa4e47176d1a70f727f11
SHA1 ce326caeaaccf558e80c81a70faab1de1ebfdafd
SHA256 15a93dc4aa5eea51bc49f6b080ef18ff07471b89f1500dddee86e63cf6b6d8a6
SHA512 25c61aec86021203c9af860b6cc370959b8c43e39a015810631e4c18bf096761d09f9ac69235ca6b0752fc5c3d3422952031877884af742b80bd3a2126062244

memory/2964-196-0x00000000001A0000-0x00000000002FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c2aeeca3-8f8c-4e6a-aeb7-915932e6733c.vbs

MD5 a3d0a5648a7d7af69913c3aa633ce605
SHA1 1d0f474d8d48687f4aa4a16f5e56885ed2f3c7e1
SHA256 8533d5ed50b731db7aec4b4c94e4833a3077ab8fc5d57f2569827c517672e462
SHA512 0041c9a4550cd0135c0468d84861d843a5118343872a041e5386f90b4a6634151d931d505a462b960ea54301a5895369aa1c5b49cd1761fa2d1c57a5c29b22f2

memory/3056-208-0x0000000001250000-0x00000000013AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2a84003e-e153-42eb-917a-b1698cdd279e.vbs

MD5 c0a872d40a6c233bb222b18852f51708
SHA1 23b5f64a5c3602b898ec4b542f5be263c27bb65e
SHA256 180771a30dc34f455e8b8b08f1f20fda684fbe9ddd2325ceea80c0d76b7df847
SHA512 b851ef7f084c0b84bcf0e86fc3a56b9093a7b57ee7c44041dc7e5a6528365ebe261157a4ea1a726ab36e52f00e885d5fabc5de33015afc152f8c85ad243b388a

memory/2200-220-0x0000000000230000-0x000000000038A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\75d8087c-804b-42c6-822c-032b2c045633.vbs

MD5 bcfd3d7836fa644f3db03f0a60f0fbc8
SHA1 98d3f8a1f3e0d4ef6204db98e972b3f404985912
SHA256 fa2fdd7a7222bf408763e6718eb51003dbe1f544bc32dd9f5b0021c8e05eff3f
SHA512 a22f695171fbc86f65bf89260ec55d7d10a4bde5ffc973e0221afe5549bce7a319e7853625e130575e9f2944e43da66eabb175bf6b31c953dfea4fd92befa5bb

memory/2992-232-0x0000000000FF0000-0x000000000114A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8612983c-c1d0-4543-a0f8-9ee2ffdb0cf3.vbs

MD5 567b148c7c10cbe152f0e02fb09a9325
SHA1 c40a7ec75d0575ff748ae83d569202ba7d24224e
SHA256 2ce04bb1f02b2e6840ba5112c31bc2a94ed5538e127648d7a22a604ff1b5c248
SHA512 0b2a2a630637e47b2b1c25f54e967e5cb31118740738e8e182f596e4955f1cbade060533674e94e2cf391d491748e2695fba87ce76ef439f319ef8cf51fe95a1

C:\Users\Admin\AppData\Local\Temp\73c027d4-95f0-4263-bd90-d9667b145154.vbs

MD5 f031e96e54d404fea0da0c8d745e4aa6
SHA1 057034288bed1c37d0f23b7b2b52ec292fa1c103
SHA256 8e895faa91fb0d020348e30869e275542299d580e995ae66b921be02cd1d2807
SHA512 49bf5be3f6ceabb0c47327c036e24bc49b3ccab63cc14a6d819740ec52c3ad8430de87bd0e2f44e5445608659a504c0010cc5d4556a1dd38dcf2dcb4b5dd3396

C:\Users\Admin\AppData\Local\Temp\060c69e3-8922-45be-87e9-5f60534bf0fc.vbs

MD5 e851b27efc0aa5e611a0f8f21b44d7af
SHA1 0208d843f2dcefd95358a21b3b22b0fc54ac5026
SHA256 c0f63a2ddc318d800f7ce08af1647d80a109779736954d0a1acd6671a2e1b2b4
SHA512 d8f34e181bbb7236d46a6eab8f0deee35f9bbbd125f8911ad85c0f103a6e0e5ff4ea446cf5ec2ab7b86fb8a881b6cb256a70b6317868652ba63cde9354f12f98

memory/1556-266-0x0000000001290000-0x00000000013EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41176c31-eceb-404f-9920-3ce32e70f66c.vbs

MD5 c0546b1ea78ce440544d2bf3c3fc8aa0
SHA1 bf24480341eb91a5d7abb043671de0e5cb8960da
SHA256 c78cd485de51f8addf174c6fc2a10ee283d30fcceab57c90afd91fe4715d2516
SHA512 d27445b23f28ab6b805522c398c10901fe03e0e98c0c74dbc0d6330f4baaa7c4480d1c509fffb5969503e2ee0407d501b843dab7473b03773b316e6dfb0922e8

C:\Users\Admin\AppData\Local\Temp\010c95fe-4b29-480e-b68a-70f9e1cd6505.vbs

MD5 0c863e163c5b6f33820d84e82202414e
SHA1 402c06891c7b75707caff2c5a989fe72dc4c8365
SHA256 4aa7d3af491d23944c42479f7db5656a5d1527d7cbf6cf1a4bd41966c9990a6b
SHA512 dfa6cbc3b0692d41e437565641685642fad20263834356f8c675b30aaa9d571e9509794c1998ead3d24b0f4cc2b1cebf50b5b8f46dae26e2df42c0ecab4f9466

C:\Users\Admin\AppData\Local\Temp\fd8512e7-288f-4163-9b4c-17cfb37453ea.vbs

MD5 ec4d47b82903fa1394e5b55c4733c720
SHA1 9f2b9dbe86e965bf2974dbbf6e0c62e3c37a6e4f
SHA256 b15fe37e112264143b3d5b51f07f1ddcfddb829f3e8ad3762ef50d0546db36ea
SHA512 e121aee8fc2a2f937a364887c1de3b57efaee3c0ef878d0f52e3251b8e2e6f6bff088d4425a92bcdf341f8c8d9e759d263252f9a6fb49b12039346085762370f

C:\Users\Admin\AppData\Local\Temp\b57db4fc-1272-4c1d-acff-efc70e4c0865.vbs

MD5 a1aa39cf641f9af58d2b3a7395ae56f2
SHA1 90bb662327d55b635692430a41bd72a8ba267b78
SHA256 3e3ba720fb9c9f626065bf5fd5e4b36ded3b8ba25251f0c7cf8150b9405a2bf6
SHA512 889685ea04711b0ce471b5b7d2c6003fa9f1c6dcdc448e86c3e0976cd1b96275a76a791bce77b064586b622e283032b350579926ff4752a00762cfcecc28515f

C:\Users\Admin\AppData\Local\Temp\d46d2ee3-0901-4a6a-bfe1-857dec79b0ce.vbs

MD5 2c708257b5bfa3fbaffffef9e0955ab0
SHA1 8ec65281aefc2ca06eda99ee3049258c3807f3d3
SHA256 b18422ccd6364dfefa6733ee495e85386efb178f316ef9bc9c4b3badf9d26a9d
SHA512 4e5cda32c1cf8c5ccc7400f7de8a88af739933311df90a3a5803a85066ca620cdf9a4df8512d198edc0d1e5f9d8b5a49cd7bfa6f7d440f68863964233d0baae8

C:\Users\Admin\AppData\Local\Temp\f377bc9c-4af4-4484-8c91-0c3bb510600d.vbs

MD5 0cc061bc9860e95157ada05d084ee66c
SHA1 37560e556e64255edcd19f473afba97b5101c5e4
SHA256 0d64a16ccb2f1793f6e55bfd126bf7535e4d36b5ff7571c914f088fc276146ee
SHA512 95ae51447a0a4a7b4954e829ee877d7f15a3fedad64231a12dad7bccebd87620b386ddc5357b9aa9470138da046374b6e9383cb55db0e0a98b682ef5d8831a1a

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 16:22

Reported

2024-07-22 16:24

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\System.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\System.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\MusNotification.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\System.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\MusNotification.exe\", \"C:\\Windows\\Help\\en-US\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\System.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\MusNotification.exe\", \"C:\\Windows\\Help\\en-US\\spoolsv.exe\", \"C:\\Users\\Default\\Documents\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Default\Cookies\fontdrvhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Music\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Help\\en-US\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Default\\Documents\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Program Files\\Windows Portable Devices\\MusNotification.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Help\\en-US\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Default\\Documents\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Music\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Program Files\\Windows Portable Devices\\MusNotification.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Portable Devices\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Program Files\Windows Portable Devices\MusNotification.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCX8837.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCX8838.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Program Files\Windows Portable Devices\aa97147c4c782d C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCX7C66.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCX7C67.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\MusNotification.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\en-US\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Windows\Help\en-US\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Windows\Help\en-US\RCX8A4C.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Windows\Help\en-US\RCX8ABB.tmp C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File opened for modification C:\Windows\Help\en-US\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
File created C:\Windows\schemas\TSWorkSpace\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Default\Cookies\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Default\Cookies\fontdrvhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Cookies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Cookies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Cookies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Cookies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Cookies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Cookies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Cookies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Cookies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Cookies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Cookies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Cookies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Cookies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Cookies\fontdrvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Cookies\fontdrvhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 4548 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 508 wrote to memory of 4900 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 508 wrote to memory of 4900 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 508 wrote to memory of 916 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 508 wrote to memory of 916 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4900 wrote to memory of 4140 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 4900 wrote to memory of 4140 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 4140 wrote to memory of 4300 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4140 wrote to memory of 4300 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4140 wrote to memory of 2948 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4140 wrote to memory of 2948 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4300 wrote to memory of 3972 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 4300 wrote to memory of 3972 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 3972 wrote to memory of 3176 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3972 wrote to memory of 3176 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3972 wrote to memory of 3320 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3972 wrote to memory of 3320 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3176 wrote to memory of 840 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 3176 wrote to memory of 840 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 840 wrote to memory of 632 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 840 wrote to memory of 632 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 840 wrote to memory of 4088 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 840 wrote to memory of 4088 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 632 wrote to memory of 4384 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 632 wrote to memory of 4384 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 4384 wrote to memory of 4780 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4384 wrote to memory of 4780 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4384 wrote to memory of 1280 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4384 wrote to memory of 1280 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4780 wrote to memory of 1540 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 4780 wrote to memory of 1540 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 1540 wrote to memory of 1068 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 1540 wrote to memory of 1068 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 1540 wrote to memory of 4376 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 1540 wrote to memory of 4376 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 1068 wrote to memory of 3772 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 1068 wrote to memory of 3772 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 3772 wrote to memory of 3028 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3772 wrote to memory of 3028 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3772 wrote to memory of 1004 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3772 wrote to memory of 1004 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3028 wrote to memory of 3928 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 3028 wrote to memory of 3928 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 3928 wrote to memory of 508 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3928 wrote to memory of 508 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3928 wrote to memory of 536 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3928 wrote to memory of 536 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 508 wrote to memory of 4984 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 508 wrote to memory of 4984 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 4984 wrote to memory of 632 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4984 wrote to memory of 632 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4984 wrote to memory of 1960 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4984 wrote to memory of 1960 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 632 wrote to memory of 4348 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 632 wrote to memory of 4348 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 4348 wrote to memory of 2040 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4348 wrote to memory of 2040 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4348 wrote to memory of 3792 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4348 wrote to memory of 3792 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 2040 wrote to memory of 3696 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 2040 wrote to memory of 3696 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Cookies\fontdrvhost.exe
PID 3696 wrote to memory of 3036 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 3696 wrote to memory of 3036 N/A C:\Users\Default\Cookies\fontdrvhost.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe

"C:\Users\Admin\AppData\Local\Temp\682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Music\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\MusNotification.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\en-US\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Help\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Documents\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\sihost.exe'" /rl HIGHEST /f

C:\Users\Default\Cookies\fontdrvhost.exe

"C:\Users\Default\Cookies\fontdrvhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc033611-d2d0-44b0-b277-4977adef5908.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\841342f7-1e3c-4245-8dea-77c1085e84ae.vbs"

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\257d045d-0555-4632-9085-4363078208f3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17d31dc7-af5f-41d0-99c8-8d65faf5d6f4.vbs"

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32432e3c-d9de-4559-9a06-dd76fc0ea08e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e74a0ff-b026-4b09-8178-e322614a80d3.vbs"

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\805768f0-8f3c-4087-8e66-4e6892e68392.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41267a48-933d-4c81-a165-b2f1ee7cf29a.vbs"

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96c02fd5-b86e-4c79-9598-9192034dc619.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a81f9432-7531-4c29-99bc-080dea902f11.vbs"

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c595f92e-0a95-4670-b7ee-50be35de7acf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bba41d8-1d36-4709-9344-158aaae088a2.vbs"

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22b04a1f-b109-4d85-9d31-2c20f04d08d2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbd66830-6180-4f71-b5d1-682a3ed9bcf8.vbs"

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e4d2282-b1ca-41cc-8169-e6a62efc4311.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b85c961-42f2-4c17-9f0e-33d9e85f7665.vbs"

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9559992-6813-4550-a111-527ef7c4c9fc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab2a99af-9977-4497-a89f-07ce0d419cc1.vbs"

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c53620db-243b-43e1-b707-1764855e6e3a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8aa4de02-c1c3-4309-ac61-d177e5e01917.vbs"

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64e30746-60ae-4f6b-afa0-3ebd7380e65b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7779719-7631-47ca-a9af-2be4444fdb7e.vbs"

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22fc14e8-43b6-4e5d-9656-d0db3ec0b447.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\284fc433-5c34-4a93-8b1f-86a66acaf077.vbs"

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a175d40d-c386-4747-aec2-15660821120c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba08e236-ade8-4e5b-ad16-8ade9421b7f5.vbs"

C:\Users\Default\Cookies\fontdrvhost.exe

C:\Users\Default\Cookies\fontdrvhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 a1005850.xsph.ru udp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 58.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 38.58.20.217.in-addr.arpa udp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp
US 104.20.3.235:443 pastebin.com tcp
RU 141.8.192.58:80 a1005850.xsph.ru tcp

Files

memory/4548-0-0x00007FF9F6443000-0x00007FF9F6445000-memory.dmp

memory/4548-1-0x0000000000CB0000-0x0000000000E0A000-memory.dmp

memory/4548-2-0x00007FF9F6440000-0x00007FF9F6F01000-memory.dmp

memory/4548-5-0x000000001BA20000-0x000000001BA30000-memory.dmp

memory/4548-4-0x000000001BBA0000-0x000000001BBF0000-memory.dmp

memory/4548-3-0x0000000003020000-0x000000000303C000-memory.dmp

memory/4548-6-0x000000001BA30000-0x000000001BA46000-memory.dmp

memory/4548-7-0x000000001BA50000-0x000000001BA58000-memory.dmp

memory/4548-10-0x000000001BA80000-0x000000001BA88000-memory.dmp

memory/4548-9-0x000000001BA70000-0x000000001BA7E000-memory.dmp

memory/4548-8-0x000000001BA60000-0x000000001BA6A000-memory.dmp

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\fontdrvhost.exe

MD5 f946ceb3dfbc4802323f045e77b9fc63
SHA1 04beac37360d30c5ad933f82f80bfd41ae294cc4
SHA256 682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a
SHA512 7ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3

C:\Recovery\WindowsRE\RuntimeBroker.exe

MD5 60338cbf38a7e58b665f780abec2e9bc
SHA1 be090c261e318e87f3b723601c11272aa5ef3bbb
SHA256 5acaa969578ead27705c7d2f685762e82cca648fc26fef2b605f0ae1794111d0
SHA512 1ec2462e55bc2455f62ee700dbd004e13ce79fcbabf11c9d882bea95182a4e1ae5ce993d806190a3615a217b13a4bb5d44c5a262e4730225813feb6e84b6b983

C:\Users\Public\Music\System.exe

MD5 fe0ee60141ab3b866ef0958fd44c076b
SHA1 4de0415625ac4fe690e7bfc2a70c5971b1c2a027
SHA256 8c0da9e94f6f5393857cc94f667fbfebb9aade66c9544cc902675b4a5db12d8b
SHA512 252e67b459eb1c0ca01cab45bd2888fa1a33106487edc039bb0b592d4e0c75288d0cde6ea276094acacb6096cab153a9f7246d61fe6051e2c85fa3fb9bdd7db6

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\fontdrvhost.exe

MD5 0b2fc822e27e875977ff84253f5397e1
SHA1 983a016981ff412c4082e4468adc5346b1c4aaf5
SHA256 5f4f3e07aa2706a7a68cea1fd334361a3f22578ded2791280ed7d5a34018f288
SHA512 7f4cbdacd05fe2a3273e50d839dd594e7238a4fe4238444d8a7ae547623447f3359687dbfe276c903489e4af5ac5d724ebdb49abcabf1b52e74d1fb7a6b7cfcf

C:\Windows\Help\en-US\spoolsv.exe

MD5 92e5bf98b2c2ad695dc2e6941a74c54f
SHA1 4f9b53511b75bdf096ae95e597e46fd3c5364097
SHA256 74ac0989d2567257f03d7f8fa3ed73db6b74b420626fd77ca54a163a3dabec26
SHA512 59c7a25a59ec56008b0eb4e0822642bc6774a395e3ceae92762a7714b63408aa2c8fd1b4fadab4299572350dfd4083fa360b97e18187b35504d858cdeb120d5d

C:\Users\Default\Documents\sihost.exe

MD5 7621f394b1365c3a25fd23187b1e1791
SHA1 da195d0d481389dba8889ebba775335197f22b3d
SHA256 c3a123719de477e4485a91d3ce8230a8338461b44a961b68fdf2adbee45b619a
SHA512 a6567c99ffc612862b52907199852af27b4e37b4a8eec60490a6b7204c2c2d80d661f5eb439e62247b285f8a26a91438f799a72e96411b0da835cac231446a27

memory/4548-185-0x00007FF9F6440000-0x00007FF9F6F01000-memory.dmp

memory/508-186-0x0000000000320000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bc033611-d2d0-44b0-b277-4977adef5908.vbs

MD5 b90b5ae3bb696d09d075a250c5865b36
SHA1 1a6149e118039d086b4bb2f48202fd6be7c25372
SHA256 4c52e5b7d28d0064801772941cecde903dfbc0ccb545737dc0cd76e0792a16c6
SHA512 154d75c17e2766d55d8bedeaa3b372aacfa25676399874e3170425a872a78d2a1f1d31cd4e6e2e85a881b62afde3dd9c6a4ac33fd28515e781617b8a6d29ace7

C:\Users\Admin\AppData\Local\Temp\841342f7-1e3c-4245-8dea-77c1085e84ae.vbs

MD5 763d21f582a2d96386da5202554a40fe
SHA1 45b9dd0577e85078cc31f6d5770f7f8ae6cd32a2
SHA256 38491c350c464362e75193f5ef3538d20d21d71cd1a337c37abea1f1adbb0632
SHA512 ebc2e8c4f53ac0144ba99831dd40718a02aa9505c766806245355f17b995ccf6657364d0369c867c4402ba9ded35e36cc838bc61194f29e65a499fb9cf956f3b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

MD5 3690a1c3b695227a38625dcf27bd6dac
SHA1 c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA256 2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA512 15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

C:\Users\Admin\AppData\Local\Temp\257d045d-0555-4632-9085-4363078208f3.vbs

MD5 6098e28a95b722b1da721add41b664f1
SHA1 b2d478107e84537d2c185772253c379ae64b4293
SHA256 8d5b251b1a70156e5b3848cb5cfa707e0f4581952e41713ea6edbf71b0c0f201
SHA512 edfdc31d57e1061f0ffe0b0aaa6b516e7dcb60cf24122bfd2a39c4854d1bc56e4ffbf39a01080fc41fb6ef5aa6b0b6b9b54de8a8b31f54e18f1e7b13f11ecf3c

C:\Users\Admin\AppData\Local\Temp\32432e3c-d9de-4559-9a06-dd76fc0ea08e.vbs

MD5 0a99863aa278a8e07c08d6635e9f6425
SHA1 db76021dc9b8bd8ddd102c51394230b8e90b3913
SHA256 9e5cdcb80c3791da6a54baa208717f98cc5fca8a8ce08fa8bb09317b0e23d58b
SHA512 dd1877b717504b8a24675a657489352eb4b872a329ad7425a149920e8c623e14463664864c7c0e59a9184274ba5f99519316abaa17058c53c7b5e80cc01c7fc3

C:\Users\Admin\AppData\Local\Temp\805768f0-8f3c-4087-8e66-4e6892e68392.vbs

MD5 aa73f347643c7fad7d907ad46689dc0e
SHA1 087fa6317232db070d1a755ee8b81b38843a5a22
SHA256 73c35d66633e2ea81e9b033dbd7ece867700eb010be42cc64005ce4a7577a9e7
SHA512 c9271b55b470247de122a1284050dd8b2d19526f5669ec7bf783acfd055980950e7431798a272e30f3b641cbb777cbba25c059582642bd5a99b4148d4be9750e

C:\Users\Admin\AppData\Local\Temp\96c02fd5-b86e-4c79-9598-9192034dc619.vbs

MD5 98fd91b458e18a7e8041e5a3fac36602
SHA1 96f62cdd6878f433ce2d660ad95ddac0380d8708
SHA256 85cc8ce8b35fdc5252ba86afd4f11e4b5032db72674c11d7905a7db658d6c57b
SHA512 343eb1b623f51dcaf7e2bdfff73379ad54ba6a1ba30ce9f1b37ff421b121b615a8c2b2aa9fb925d36a617c308594af32eb5adce4d639b3c259494fdbd3b70243

C:\Users\Admin\AppData\Local\Temp\c595f92e-0a95-4670-b7ee-50be35de7acf.vbs

MD5 7622906c193f3650e4d0b45d2373f100
SHA1 0ef5055229d6261f888d935ff6cd116cbb1c4d7b
SHA256 02f75b37398095078230a2290bd1bded8f7138d5b6514c37f47203267f47f1e5
SHA512 c24be76fa591a3f122c3541d201f7b56a0386dfefd98fa590d58b3e466f61bc6ab39667be66e022916150200fc7145353b8d9a8fbaafd61e750b3e2ca14bdf8c

C:\Users\Admin\AppData\Local\Temp\22b04a1f-b109-4d85-9d31-2c20f04d08d2.vbs

MD5 7e6af3f646ce1673eab4434d9c5176dd
SHA1 8d2a463d5b0a41a7e36716fed124b5511430c88a
SHA256 10dba4aad255b4e4e94d4daf5e32b447f696827873702e082bf66e10d4eeb9df
SHA512 6330a5fd3086178a4c56add1793f7dffa65c3ffdcbc09460c82b04d220cf3f3cd7df91895aa396befff567342a04cad4e2b4c6b34a219e8a1fb74edfe65cac70

C:\Users\Admin\AppData\Local\Temp\1e4d2282-b1ca-41cc-8169-e6a62efc4311.vbs

MD5 05b3d1d72e5b5c12e527ecc1bc361709
SHA1 19aa5d7314d8d0409d1ec61e96267406423d8134
SHA256 38defd43ed00f8cbbdf15c6d0356d1907a84f78c6970ec704cba52c897a19e2e
SHA512 da57db719b6f026ad1cb1cde0a7ab380140962b29895c9beaf0438ea0c1bb0f6e9cbbf1767c735849297fea55766b3f62fe902a3cb4666dfd59a3ed202360749

C:\Users\Admin\AppData\Local\Temp\a9559992-6813-4550-a111-527ef7c4c9fc.vbs

MD5 00a371d774ab7edc032d3a8e270db59b
SHA1 aea041ff8faf53ebef1e193d0e5eff16e555f1b4
SHA256 b7783a3b6ebef5a18b873fd80b9bc604f7232b4e436c96545bfc666ec63389b2
SHA512 67c3753c0f12c83efa6bd6b01bc978de6d90b9c49e58b0c5f046c40692100622a7b9ef5c8aab9aaf9f7b4e5f09e83a69aca6520f1648504e0edf4d3742d514df

C:\Users\Admin\AppData\Local\Temp\c53620db-243b-43e1-b707-1764855e6e3a.vbs

MD5 bd68254c3b10e1fc8e7b0347360a4827
SHA1 80e0434c4fa9e960c1e6a63d74c0f6805aa56afe
SHA256 5989d68b5192c76872058b4c1bb17f139fb4a23c04964c3cfaac735f97860e6f
SHA512 483fdd0f18448b6b3a8c6a5a135e806994bdd3fa52bec55204d5dc3795d063f91d8877d5505a2df07422b69b5d7237d1af8400ceda5af6c114f9cb229419a8b3

C:\Users\Admin\AppData\Local\Temp\64e30746-60ae-4f6b-afa0-3ebd7380e65b.vbs

MD5 1b1e1c4a25ac763b643b0feac74210a2
SHA1 239517baff076433cfbec070da9fd2f021d56149
SHA256 8926ae11288f28c2c24a9c7cd83914e955e5cafcd1a171a70c67768d8c7ba1d8
SHA512 8c481601209dcfeba62f89dab85f271467d7510ce98da614d6e467a266d507ec427bdc8216e6531351b379c218827631f8d2dec374d973add9a6d7de003308c5

C:\Users\Admin\AppData\Local\Temp\22fc14e8-43b6-4e5d-9656-d0db3ec0b447.vbs

MD5 28ce6b80660408701ecd8fc4abbbca05
SHA1 3546a868d19f7347a63726e1384f079ad71f16a2
SHA256 70d3434ae15e0e7a1f143e33f4500ec375d85edfdf6d4df1adeb50bccce6d883
SHA512 96cc573e6c779a2c3d7b92ceb5493969daaf94ea7415e50df2443d08fd0ccf1d3ec2e9d46c03c45acafbdbf46685eeb4a978fca0a91d8983f9befa292b55c025

C:\Users\Admin\AppData\Local\Temp\a175d40d-c386-4747-aec2-15660821120c.vbs

MD5 42a425d3b92b0d8a9d15135ea86b0d86
SHA1 5388ca0e0d5d5a6f04ab72caf29c6ef6dc018d01
SHA256 c60e4865723fe39ae861b6aefe9d8cea9cfe0ad178734a778b17b98758eb80f5
SHA512 e43e9149b051111e14f8d58e8d782146814b3482d6729745aaa8e4bb76a598f7fe549d0cd59511ca5b7be9149f352de2824c861ba38aad3d139f2831e76f49d4