Malware Analysis Report

2025-08-11 06:15

Sample ID 231118-cz473aae7t
Target NEAS.12512b9fc15ed49fb1066046fb8fed90.exe
SHA256 cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0

Threat Level: Known bad

The file NEAS.12512b9fc15ed49fb1066046fb8fed90.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

UAC bypass

Process spawned unexpected child process

Dcrat family

DcRat

DCRat payload

DCRat payload

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

System policy modification

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-18 02:31

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-18 02:31

Reported

2023-11-18 02:34

Platform

win7-20231023-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Idle.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\services.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files (x86)\Google\Update\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\RCXC5D8.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\smss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Idle.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files (x86)\Windows Defender\de-DE\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\RCXC307.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\RCXCD6C.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\RCXABDB.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCXCF81.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\RCXCD5C.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files (x86)\Google\Update\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\smss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\RCXC5D7.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCXCF80.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\RCXABEC.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\RCXB351.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\RCXC385.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\services.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\RCXB321.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ModemLogs\audiodg.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Windows\TAPI\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Windows\ModemLogs\RCXD697.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Windows\TAPI\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\RCXB9BC.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Windows\TAPI\RCXCADA.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Windows\TAPI\RCXCAEB.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Windows\ModemLogs\RCXD715.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Windows\TAPI\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\RCXB9CD.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\taskhost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Windows\ModemLogs\audiodg.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\taskhost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Windows\ModemLogs\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe
PID 2764 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe
PID 2764 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe
PID 1316 wrote to memory of 2712 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 1316 wrote to memory of 2712 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 1316 wrote to memory of 2712 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 1316 wrote to memory of 2704 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 1316 wrote to memory of 2704 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 1316 wrote to memory of 2704 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 2712 wrote to memory of 240 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe
PID 2712 wrote to memory of 240 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe
PID 2712 wrote to memory of 240 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe
PID 240 wrote to memory of 1188 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 240 wrote to memory of 1188 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 240 wrote to memory of 1188 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 240 wrote to memory of 1296 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 240 wrote to memory of 1296 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 240 wrote to memory of 1296 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 1188 wrote to memory of 1524 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe
PID 1188 wrote to memory of 1524 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe
PID 1188 wrote to memory of 1524 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe
PID 1524 wrote to memory of 2052 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 1524 wrote to memory of 2052 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 1524 wrote to memory of 2052 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 1524 wrote to memory of 1884 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 1524 wrote to memory of 1884 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe
PID 1524 wrote to memory of 1884 N/A C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Downloads\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ModemLogs\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\audiodg.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3385657-9550-4bad-b6a6-5a47c31ff50f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7f90b85-bd02-4549-a77e-18150b3f4b48.vbs"

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e519c43d-a289-4f38-92f0-4e38ae0cac89.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a378960-6ad0-4294-a6a5-b7ec17b1447e.vbs"

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de58d141-469c-4030-9999-879023294bbb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d76157d-d710-451b-b78e-2d8731a4cf10.vbs"

Network

Country Destination Domain Proto
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp

Files

memory/2764-0-0x0000000000F70000-0x00000000010DC000-memory.dmp

memory/2764-1-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2764-2-0x000000001AF80000-0x000000001B000000-memory.dmp

memory/2764-3-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/2764-4-0x00000000003E0000-0x00000000003E8000-memory.dmp

memory/2764-5-0x00000000003F0000-0x000000000040C000-memory.dmp

memory/2764-6-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

memory/2764-7-0x0000000000E30000-0x0000000000E40000-memory.dmp

memory/2764-8-0x0000000000F40000-0x0000000000F56000-memory.dmp

memory/2764-9-0x0000000000F60000-0x0000000000F70000-memory.dmp

memory/2764-10-0x000000001AB30000-0x000000001AB3A000-memory.dmp

memory/2764-11-0x000000001AB40000-0x000000001AB4C000-memory.dmp

memory/2764-12-0x000000001AB50000-0x000000001AB5C000-memory.dmp

memory/2764-13-0x000000001AB60000-0x000000001AB68000-memory.dmp

memory/2764-14-0x000000001AB70000-0x000000001AB7C000-memory.dmp

memory/2764-15-0x000000001AB90000-0x000000001AB98000-memory.dmp

memory/2764-16-0x000000001AB80000-0x000000001AB8A000-memory.dmp

memory/2764-17-0x000000001ABA0000-0x000000001ABAE000-memory.dmp

memory/2764-18-0x000000001ABB0000-0x000000001ABB8000-memory.dmp

memory/2764-19-0x000000001ABC0000-0x000000001ABCE000-memory.dmp

memory/2764-20-0x000000001AF80000-0x000000001B000000-memory.dmp

memory/2764-21-0x000000001ABD0000-0x000000001ABDC000-memory.dmp

memory/2764-22-0x000000001ABE0000-0x000000001ABE8000-memory.dmp

memory/2764-23-0x000000001ABF0000-0x000000001ABFA000-memory.dmp

memory/2764-24-0x000000001AC80000-0x000000001AC8C000-memory.dmp

memory/2764-31-0x000000001AF80000-0x000000001B000000-memory.dmp

C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\winlogon.exe

MD5 12512b9fc15ed49fb1066046fb8fed90
SHA1 480b04304f83fa8b96d28e060068fbc11c9b3a05
SHA256 cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0
SHA512 d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

memory/2764-38-0x000000001AF80000-0x000000001B000000-memory.dmp

memory/2764-47-0x000000001AF80000-0x000000001B000000-memory.dmp

memory/2764-96-0x000000001AF80000-0x000000001B000000-memory.dmp

C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dllhost.exe

MD5 26d63ae006f72613796303cd258e8cd5
SHA1 d4c4143a4ea4781494e22044359ac8a748902575
SHA256 9c4dc1c01093be5b1bd0b2599a13e22a1d114d3e625ce999d5735efbdd929a36
SHA512 83dca9c75ce6eb4e992dc6b741597760a32045cf178e596c0ed38a977b25487bbfd3a53415bb8a6bbad8a9dd0698e241880bd8690364f4c7b03a609e97bfadfb

memory/2764-108-0x000000001AF80000-0x000000001B000000-memory.dmp

memory/2764-133-0x000000001AF80000-0x000000001B000000-memory.dmp

memory/2764-157-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2764-158-0x000000001AF80000-0x000000001B000000-memory.dmp

memory/2764-171-0x000000001AF80000-0x000000001B000000-memory.dmp

memory/2764-172-0x000000001AF80000-0x000000001B000000-memory.dmp

C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\smss.exe

MD5 3fdd85eefd01c0a2df96654a86ed664a
SHA1 2a5257557c3651562db1a1fe491273dc0fb401ac
SHA256 c45d1ed3469f2e5f2a99f8abe2ac29b2e7c4a22b3f0ce7668c748d19b0646926
SHA512 c128fb27d97fb5c28116715285910c8188ce87176742cd4da88d810ea89e4df394e896a0ed7214b9c7ff775dd5b00ede8f0afc4d8bc86bde1dd675eb712cce8f

C:\Program Files (x86)\Google\Update\System.exe

MD5 79ca8c449813f1494a0e97cbd8b67175
SHA1 a6a8a3d763c71c32b096c3b1b0d183f777696255
SHA256 bc5e8bc054b851b8fee46fdf682271834030aeac49c395425463b93daec93081
SHA512 e6cdd3584bafe212edf29c6818d1d7c74f2346fb186a676236d1a8283fbdaa3ebd36e2a15e2f329deeb1df9b60c0f658b4663494123fe1ccb50946d2b70b0080

memory/2764-218-0x000000001AF80000-0x000000001B000000-memory.dmp

memory/2764-265-0x000000001AF80000-0x000000001B000000-memory.dmp

C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\Idle.exe

MD5 89a0aeda40f0bb3a00b749692ed362b3
SHA1 33f48c6d2742ef2ff02a1c4b62bdfa1d6cf7b69f
SHA256 ab1a1eb7b109a0ddd23a4f0bdf270a50a9f9a55f16c42dc8439195367a891401
SHA512 83309404242009c9bac93e114c436300325bc5cac98ad64f7711dd85fe25df006a7a9e336e56e8126b0d3093a79e1866861bf30cb94e0ab8928ff70fe890bd2c

C:\Users\Default\services.exe

MD5 5549fd69497d9d677c5562a508329408
SHA1 a0a2e72a0b5cbf4b44ba0bfc0521f8cad9806270
SHA256 59d34aae6ef5deeb074aae1debbeec3ebf5176db141077abd52fde602ab65d6e
SHA512 608bd00604c98d674769dbed27bca3843d7a54700e5338cc9a328ed5d4ed93685fccb62f4659e1933697d58abe81e83e3affcf29d9bd4d3d3d969100db077077

C:\Windows\ModemLogs\audiodg.exe

MD5 2996965987e3264e25dff4072ec4a6d8
SHA1 fcb6d017b45e31055d7877d6bcd06f2bb9fb003e
SHA256 d3b54a5cebc40e26e5acfcd345db439763771a41c7ad65de0c7382caa88aa256
SHA512 962eb8da6c546876ac254e502e76bdbd3db292cc3321838f9f0c1bf7d4dbc21593d3ec4210c4d0cefa071c31f92afe1f2277c8f6fc16ba77eb91c9725aeedb7a

memory/2764-310-0x000000001AF80000-0x000000001B000000-memory.dmp

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe

MD5 12512b9fc15ed49fb1066046fb8fed90
SHA1 480b04304f83fa8b96d28e060068fbc11c9b3a05
SHA256 cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0
SHA512 d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe

MD5 12512b9fc15ed49fb1066046fb8fed90
SHA1 480b04304f83fa8b96d28e060068fbc11c9b3a05
SHA256 cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0
SHA512 d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 775d4dc37b7cd0cb6dadfbdcbea8f6e3
SHA1 ac20bc2f2c6a372fb42d06e1886a06d66f44a741
SHA256 397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18
SHA512 f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

memory/1316-311-0x0000000000110000-0x000000000027C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 775d4dc37b7cd0cb6dadfbdcbea8f6e3
SHA1 ac20bc2f2c6a372fb42d06e1886a06d66f44a741
SHA256 397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18
SHA512 f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H6O8VBSU4G56F2P0D9I6.temp

MD5 775d4dc37b7cd0cb6dadfbdcbea8f6e3
SHA1 ac20bc2f2c6a372fb42d06e1886a06d66f44a741
SHA256 397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18
SHA512 f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 775d4dc37b7cd0cb6dadfbdcbea8f6e3
SHA1 ac20bc2f2c6a372fb42d06e1886a06d66f44a741
SHA256 397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18
SHA512 f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 775d4dc37b7cd0cb6dadfbdcbea8f6e3
SHA1 ac20bc2f2c6a372fb42d06e1886a06d66f44a741
SHA256 397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18
SHA512 f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

memory/880-337-0x000000001B330000-0x000000001B612000-memory.dmp

memory/880-339-0x0000000002620000-0x0000000002628000-memory.dmp

memory/2764-340-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 775d4dc37b7cd0cb6dadfbdcbea8f6e3
SHA1 ac20bc2f2c6a372fb42d06e1886a06d66f44a741
SHA256 397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18
SHA512 f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 775d4dc37b7cd0cb6dadfbdcbea8f6e3
SHA1 ac20bc2f2c6a372fb42d06e1886a06d66f44a741
SHA256 397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18
SHA512 f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 775d4dc37b7cd0cb6dadfbdcbea8f6e3
SHA1 ac20bc2f2c6a372fb42d06e1886a06d66f44a741
SHA256 397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18
SHA512 f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 775d4dc37b7cd0cb6dadfbdcbea8f6e3
SHA1 ac20bc2f2c6a372fb42d06e1886a06d66f44a741
SHA256 397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18
SHA512 f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 775d4dc37b7cd0cb6dadfbdcbea8f6e3
SHA1 ac20bc2f2c6a372fb42d06e1886a06d66f44a741
SHA256 397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18
SHA512 f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 775d4dc37b7cd0cb6dadfbdcbea8f6e3
SHA1 ac20bc2f2c6a372fb42d06e1886a06d66f44a741
SHA256 397f5f7181b711ead935d815b62b3cfc116ada17e909ec201808b7ff38c8bf18
SHA512 f744188199c248bc796ce6511800adc10f03a52676664cf98b90f73204152ffa92edc0f06e9dc1e69d2a53340e4c5a1c64e6a9a4d06e3caf2378ac87f1fb387a

memory/880-370-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

memory/880-371-0x0000000002420000-0x00000000024A0000-memory.dmp

memory/880-372-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

memory/880-373-0x0000000002420000-0x00000000024A0000-memory.dmp

memory/880-374-0x0000000002420000-0x00000000024A0000-memory.dmp

memory/1316-375-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/1316-376-0x000000001B100000-0x000000001B180000-memory.dmp

memory/2356-377-0x0000000002B30000-0x0000000002BB0000-memory.dmp

memory/2356-378-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

memory/2356-381-0x0000000002B30000-0x0000000002BB0000-memory.dmp

memory/1316-380-0x000000001B100000-0x000000001B180000-memory.dmp

memory/2356-379-0x0000000002B30000-0x0000000002BB0000-memory.dmp

memory/1316-382-0x000000001B100000-0x000000001B180000-memory.dmp

memory/1316-383-0x000000001B100000-0x000000001B180000-memory.dmp

memory/1316-384-0x000000001B100000-0x000000001B180000-memory.dmp

memory/936-385-0x0000000002A40000-0x0000000002AC0000-memory.dmp

memory/1256-386-0x0000000002990000-0x0000000002A10000-memory.dmp

memory/936-388-0x0000000002A40000-0x0000000002AC0000-memory.dmp

memory/880-387-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

memory/936-389-0x0000000002A40000-0x0000000002AC0000-memory.dmp

memory/1256-390-0x0000000002990000-0x0000000002A10000-memory.dmp

memory/1688-391-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c3385657-9550-4bad-b6a6-5a47c31ff50f.vbs

MD5 0153b21ede76dabd04dd8640ff9539e7
SHA1 54785e6a2f5a1c0b1e55243641019ed250671872
SHA256 22d4ab715093b083ae854374ab4aacfc83a40a7cee31a218ea46d914dd7db360
SHA512 c960049b4f64a318dd94e083631c67e1ef3bbb9a145aeda2b3ec645a9c1795cef8732f6e10cf4c79f0ddffbb92a2a89f8b6f33312c5c99ee89c4477077712198

C:\Users\Admin\AppData\Local\Temp\f7f90b85-bd02-4549-a77e-18150b3f4b48.vbs

MD5 a69945be1ff60bc611bf8f3924b9bf39
SHA1 5325ede08307ddb15ad07473701ec2d4e8395802
SHA256 b1d984c7d8003824776045625893ee35f9c3b42241898203622722b4f23e5ffb
SHA512 b8fdb81cc813e7b5f5c3f85a2d25890143483de4c351a9a470c96afec86f4305405dc6edd2578df6ba8506a945de929b410148c4cd687db9ebe1ed53d4f45986

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe

MD5 12512b9fc15ed49fb1066046fb8fed90
SHA1 480b04304f83fa8b96d28e060068fbc11c9b3a05
SHA256 cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0
SHA512 d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

C:\Users\Admin\AppData\Local\Temp\f41ca93d8deb491c3651a25177edbfdec809d4f4.exe

MD5 12512b9fc15ed49fb1066046fb8fed90
SHA1 480b04304f83fa8b96d28e060068fbc11c9b3a05
SHA256 cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0
SHA512 d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

C:\Users\Admin\AppData\Local\Temp\e519c43d-a289-4f38-92f0-4e38ae0cac89.vbs

MD5 8d8a66375abb6f008938bcf36466adfe
SHA1 f4d12328ca814d6464e9a3591f97ae112c06fc13
SHA256 b979b6b608af706e13443222c89c6a91c51f320110757fedb231c78869e1b85e
SHA512 5b3ed140f031a2591ade7ba172bec1f013fdad7485e966ee521321629a618e8b1f8151fb91196d96b19870619cf7c880871b9fbb24fddbc15f4a1335c106d132

C:\Users\Admin\AppData\Local\Temp\2a378960-6ad0-4294-a6a5-b7ec17b1447e.vbs

MD5 a69945be1ff60bc611bf8f3924b9bf39
SHA1 5325ede08307ddb15ad07473701ec2d4e8395802
SHA256 b1d984c7d8003824776045625893ee35f9c3b42241898203622722b4f23e5ffb
SHA512 b8fdb81cc813e7b5f5c3f85a2d25890143483de4c351a9a470c96afec86f4305405dc6edd2578df6ba8506a945de929b410148c4cd687db9ebe1ed53d4f45986

C:\Users\Admin\AppData\Local\Temp\2a378960-6ad0-4294-a6a5-b7ec17b1447e.vbs

MD5 a69945be1ff60bc611bf8f3924b9bf39
SHA1 5325ede08307ddb15ad07473701ec2d4e8395802
SHA256 b1d984c7d8003824776045625893ee35f9c3b42241898203622722b4f23e5ffb
SHA512 b8fdb81cc813e7b5f5c3f85a2d25890143483de4c351a9a470c96afec86f4305405dc6edd2578df6ba8506a945de929b410148c4cd687db9ebe1ed53d4f45986

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe

MD5 12512b9fc15ed49fb1066046fb8fed90
SHA1 480b04304f83fa8b96d28e060068fbc11c9b3a05
SHA256 cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0
SHA512 d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

C:\Users\Admin\AppData\Local\Temp\f41ca93d8deb491c3651a25177edbfdec809d4f4.exe

MD5 12512b9fc15ed49fb1066046fb8fed90
SHA1 480b04304f83fa8b96d28e060068fbc11c9b3a05
SHA256 cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0
SHA512 d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

C:\Users\Admin\AppData\Local\Temp\de58d141-469c-4030-9999-879023294bbb.vbs

MD5 9b0d9f7b52c05551a8e47eec07256e67
SHA1 90f4d8f9933a61128aeeb006a6d63898c14ee95e
SHA256 ce815ad99757940e5ba002e04784d03dc4c281a9eeb0181acd882e59f2b2f9e1
SHA512 b61ee5ef0b65e97b955083b9149cc67ff6b1c285192952a3bd2bc6d798abb52129636f3474f00a5d6f568ca593e8e87983152d91ade9c6313cb5cb5aa54bd50e

C:\Users\Admin\AppData\Local\Temp\0d76157d-d710-451b-b78e-2d8731a4cf10.vbs

MD5 a69945be1ff60bc611bf8f3924b9bf39
SHA1 5325ede08307ddb15ad07473701ec2d4e8395802
SHA256 b1d984c7d8003824776045625893ee35f9c3b42241898203622722b4f23e5ffb
SHA512 b8fdb81cc813e7b5f5c3f85a2d25890143483de4c351a9a470c96afec86f4305405dc6edd2578df6ba8506a945de929b410148c4cd687db9ebe1ed53d4f45986

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-18 02:31

Reported

2023-11-18 02:34

Platform

win10v2004-20231020-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\odt\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\odt\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\odt\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\odt\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\odt\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\odt\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\odt\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\odt\backgroundTaskHost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\odt\backgroundTaskHost.exe N/A
N/A N/A C:\odt\backgroundTaskHost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\odt\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\odt\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\odt\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\odt\backgroundTaskHost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Visualizations\sysmon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCX3ACA.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX400E.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX408C.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files\Windows Media Player\Visualizations\sysmon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCX3AFA.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Visualizations\RCX2ECD.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files\Windows Media Player\Visualizations\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Visualizations\RCX2EBC.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\L2Schemas\RCX2484.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Windows\L2Schemas\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Windows\L2Schemas\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File created C:\Windows\L2Schemas\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
File opened for modification C:\Windows\L2Schemas\RCX2464.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings C:\odt\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings C:\odt\backgroundTaskHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 760 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\cmd.exe
PID 760 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe C:\Windows\System32\cmd.exe
PID 3776 wrote to memory of 5952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3776 wrote to memory of 5952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3776 wrote to memory of 5436 N/A C:\Windows\System32\cmd.exe C:\odt\backgroundTaskHost.exe
PID 3776 wrote to memory of 5436 N/A C:\Windows\System32\cmd.exe C:\odt\backgroundTaskHost.exe
PID 5436 wrote to memory of 5832 N/A C:\odt\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5436 wrote to memory of 5832 N/A C:\odt\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5436 wrote to memory of 5908 N/A C:\odt\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5436 wrote to memory of 5908 N/A C:\odt\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5832 wrote to memory of 5132 N/A C:\Windows\System32\WScript.exe C:\odt\backgroundTaskHost.exe
PID 5832 wrote to memory of 5132 N/A C:\Windows\System32\WScript.exe C:\odt\backgroundTaskHost.exe
PID 5132 wrote to memory of 4448 N/A C:\odt\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5132 wrote to memory of 4448 N/A C:\odt\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5132 wrote to memory of 5032 N/A C:\odt\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5132 wrote to memory of 5032 N/A C:\odt\backgroundTaskHost.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\odt\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\odt\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\odt\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\odt\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\odt\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\odt\backgroundTaskHost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\odt\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\odt\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\odt\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Application Data\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\odt\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Visualizations\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Visualizations\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\odt\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\odt\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NEAS.12512b9fc15ed49fb1066046fb8fed90N" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NEAS.12512b9fc15ed49fb1066046fb8fed90" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NEAS.12512b9fc15ed49fb1066046fb8fed90N" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\NEAS.12512b9fc15ed49fb1066046fb8fed90.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P5Gj8VmPD3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\backgroundTaskHost.exe

"C:\odt\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4b1d779-692b-4770-8bbb-2d46d5b7df9a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc67fda2-50a5-4cc2-bb40-cd4b18ed469f.vbs"

C:\odt\backgroundTaskHost.exe

C:\odt\backgroundTaskHost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4db556d6-1db3-4f25-9272-2e713f3a6062.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\600259e1-1932-4b2a-ae21-d3b49c2bbc36.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 121.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.1.248.8.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/760-0-0x0000000000590000-0x00000000006FC000-memory.dmp

memory/760-1-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

memory/760-2-0x000000001B410000-0x000000001B420000-memory.dmp

memory/760-3-0x0000000002810000-0x000000000281E000-memory.dmp

memory/760-4-0x0000000002820000-0x0000000002828000-memory.dmp

memory/760-5-0x0000000002830000-0x000000000284C000-memory.dmp

memory/760-6-0x000000001B3C0000-0x000000001B410000-memory.dmp

memory/760-7-0x0000000002850000-0x0000000002858000-memory.dmp

memory/760-8-0x0000000002860000-0x0000000002870000-memory.dmp

memory/760-9-0x000000001B370000-0x000000001B386000-memory.dmp

memory/760-10-0x0000000002870000-0x0000000002880000-memory.dmp

memory/760-11-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

memory/760-12-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

memory/760-13-0x0000000000ED0000-0x0000000000EDC000-memory.dmp

memory/760-14-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

memory/760-15-0x000000001B390000-0x000000001B39C000-memory.dmp

memory/760-16-0x000000001B3A0000-0x000000001B3A8000-memory.dmp

memory/760-17-0x000000001B3B0000-0x000000001B3BA000-memory.dmp

memory/760-18-0x000000001BB60000-0x000000001BB6E000-memory.dmp

memory/760-21-0x000000001B410000-0x000000001B420000-memory.dmp

memory/760-22-0x000000001BB80000-0x000000001BB8E000-memory.dmp

memory/760-20-0x000000001B410000-0x000000001B420000-memory.dmp

memory/760-19-0x000000001BB70000-0x000000001BB78000-memory.dmp

memory/760-23-0x000000001B410000-0x000000001B420000-memory.dmp

memory/760-24-0x000000001B410000-0x000000001B420000-memory.dmp

memory/760-25-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

memory/760-26-0x000000001B720000-0x000000001B72C000-memory.dmp

memory/760-27-0x000000001B730000-0x000000001B738000-memory.dmp

memory/760-28-0x000000001B740000-0x000000001B74A000-memory.dmp

memory/760-29-0x000000001B750000-0x000000001B75C000-memory.dmp

memory/760-36-0x000000001B410000-0x000000001B420000-memory.dmp

memory/760-37-0x000000001BFD0000-0x000000001C0D0000-memory.dmp

C:\odt\RuntimeBroker.exe

MD5 12512b9fc15ed49fb1066046fb8fed90
SHA1 480b04304f83fa8b96d28e060068fbc11c9b3a05
SHA256 cf16e32b1b72e0e7cc452b225cce99b35336453e41d3618f28f8766553fc4bb0
SHA512 d79b92c2a5ada634a829c9642818178fed1ba67464b008cd1e0d6e1d5be4b8b7255cad5cac9d0ffb16bf822fc0e9a47c9accef0b04530b04cc8056a575cac7a9

memory/760-72-0x000000001B410000-0x000000001B420000-memory.dmp

memory/760-73-0x000000001B410000-0x000000001B420000-memory.dmp

C:\odt\unsecapp.exe

MD5 bda00b2e1ce2afc699185e3babb0c967
SHA1 7c15c36a61e8ec824d59e3cead34b10d7bb23fa3
SHA256 1c1bd72699bfa0b02e2f1523d0f93f65339309655f4d61b80aa8cc6de7c604ee
SHA512 681748916cb9d6d967ef192837e8e7d8cfc0c8f37a2555d6f16c787a50aeca9b2369d113f856adfa0a191a1f5f876f3882048d2b186de4c6ccf841af671c169c

memory/760-110-0x000000001B410000-0x000000001B420000-memory.dmp

C:\Users\Admin\AppData\Roaming\csrss.exe

MD5 e36003ccaeed48476f1bb1aa4ec6bfe2
SHA1 8154f23ec6b4a8df17c0edb982dc0e200b28251c
SHA256 0f90b25254754f6c988153efbbc26b9a3f121f15c638249b06962ce52c066b58
SHA512 0b9f951acd8df55d62c6c2d1bb1a35a461e3d60a734391d07bf75ce53a55e25be493a8e8324f5bb10bd156d6f7acae4436a5ecfd38cb0f5953ee25253c898258

memory/760-145-0x000000001B410000-0x000000001B420000-memory.dmp

C:\odt\TextInputHost.exe

MD5 c460c9d52f216a2d7a43e9bcef493df2
SHA1 5cecd227f317c2131734e9ea69a6c59e7f17cd8b
SHA256 bf8af2bd976f2fcc0648edc2d7537b8f7739e7c12593f6af8a981c13f0658f7c
SHA512 ce212460d735bd8fb08b0dee9cde7d69fc3d1f00fa7f8f9da4781c71a52959a5349a8bea985ad607cc92bfe2e41c6c049ff8d76d879a260a61f87222b2c270d1

C:\odt\backgroundTaskHost.exe

MD5 662290f458afb73df9df2e3245b4c0b6
SHA1 6278b4a95a718b42b91b9714a32dded4fd6ffc0e
SHA256 aba696a34049ea7d188bf6366797cc2f708c75417ecf6e193d29a7e01acc7640
SHA512 58d364202888cd7a9ffcb6ad3b3e337bb415b45c2f013c59bacb944f6f4c38cce22891c60659deb7558732a75973147bf78f2e6033de68fdc81d982364d11028

C:\Program Files (x86)\Windows Photo Viewer\es-ES\RuntimeBroker.exe

MD5 a6aed1429a806016f08a6f39a17cd1e8
SHA1 fa09aa2f6eeeac777e0d86afcc943309a425d056
SHA256 00b7a0580d1c12c142be5f12cab1ba1672b6bfb0a2543d372e095569093197f2
SHA512 7340be3706b5304350ae7a3f18a4cec8fc7226f0d2a6a43428ba3b59a34dd0a547258c4919463a59a75323a97536daad98deee9becb36ff852308ab2598b1b10

memory/760-268-0x000000001BFD0000-0x000000001C0D0000-memory.dmp

memory/3136-272-0x000001B1817A0000-0x000001B1817B0000-memory.dmp

memory/3136-271-0x000001B1817A0000-0x000001B1817B0000-memory.dmp

memory/1660-275-0x0000022A98390000-0x0000022A983A0000-memory.dmp

memory/1660-273-0x0000022A98390000-0x0000022A983A0000-memory.dmp

memory/3136-270-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

memory/3492-276-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

memory/760-277-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

memory/2144-288-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

memory/404-287-0x00000212F5600000-0x00000212F5622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ia4oigyj.yea.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3492-298-0x00000179F1C30000-0x00000179F1C40000-memory.dmp

memory/3020-340-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

memory/2144-350-0x00000277CE720000-0x00000277CE730000-memory.dmp

memory/2144-363-0x00000277CE720000-0x00000277CE730000-memory.dmp

memory/2412-364-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

memory/2412-365-0x0000022057C80000-0x0000022057C90000-memory.dmp

memory/2412-366-0x0000022057C80000-0x0000022057C90000-memory.dmp

memory/404-367-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

memory/644-368-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

memory/644-369-0x0000022408A20000-0x0000022408A30000-memory.dmp

memory/4168-370-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

memory/644-371-0x0000022408A20000-0x0000022408A30000-memory.dmp

memory/4168-373-0x00000207F8480000-0x00000207F8490000-memory.dmp

memory/4168-372-0x00000207F8480000-0x00000207F8490000-memory.dmp

memory/932-374-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

memory/3004-382-0x00007FFF26580000-0x00007FFF27041000-memory.dmp

memory/3020-402-0x000001D25C380000-0x000001D25C390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\P5Gj8VmPD3.bat

MD5 93cc5e6659b0d5f81a607be4b7f66862
SHA1 9cface1233684dbda38366bb6876e9a833b18b62
SHA256 bd8f7a3fa6d6e46befb0f43ba3ed9ff6dd16ceca5de17f7faeae9e45d4c3f884
SHA512 caecd5e1ff367aff4faa9b7f173cbd78142ef5a004962ba21fbb9ea6ec79730b855b67253479ca7b3d01b8de1c5bf4ffde8956d3551c1fc273bdbf31d7c4ca4c

memory/3004-400-0x00000215AA5E0000-0x00000215AA5F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\odt\backgroundTaskHost.exe

MD5 662290f458afb73df9df2e3245b4c0b6
SHA1 6278b4a95a718b42b91b9714a32dded4fd6ffc0e
SHA256 aba696a34049ea7d188bf6366797cc2f708c75417ecf6e193d29a7e01acc7640
SHA512 58d364202888cd7a9ffcb6ad3b3e337bb415b45c2f013c59bacb944f6f4c38cce22891c60659deb7558732a75973147bf78f2e6033de68fdc81d982364d11028

C:\odt\backgroundTaskHost.exe

MD5 662290f458afb73df9df2e3245b4c0b6
SHA1 6278b4a95a718b42b91b9714a32dded4fd6ffc0e
SHA256 aba696a34049ea7d188bf6366797cc2f708c75417ecf6e193d29a7e01acc7640
SHA512 58d364202888cd7a9ffcb6ad3b3e337bb415b45c2f013c59bacb944f6f4c38cce22891c60659deb7558732a75973147bf78f2e6033de68fdc81d982364d11028

C:\Users\Admin\AppData\Local\Temp\e4b1d779-692b-4770-8bbb-2d46d5b7df9a.vbs

MD5 2a95f82ae5efa9d75b75df78cdf6ea47
SHA1 1a57cfa6e27aa91a6c5ef80aba247548ad96360b
SHA256 9065b36e9226c6cc91372503b304760d5b5f7c14cec559c0293181269d2642b9
SHA512 5fceff9b454577e1634d5a09bcca0e30224a68c1d47ef6441afa99845bc30a7ad430f9f7e4d2c77c3e6ddfcfbb38be3ed8fb1929eb5f88f9d9bb0dc34ca36555

C:\Users\Admin\AppData\Local\Temp\cc67fda2-50a5-4cc2-bb40-cd4b18ed469f.vbs

MD5 8f2dc3bdc9004ce03a6f79d348a1da4d
SHA1 a63427416e6bfaf0698b0f25db0e6aa089ba73f6
SHA256 d643f0983326c089cd42db2c9db4d4aee3fb585eda7ed7029b0186a12f3ed538
SHA512 d0b1ab67451d7079e7c3ca36492e64be4ec0ac19890d232a41f1d7813f46f0047b54093229bdd2e534fabc9410e929690bb8a57f5805d768789204b65dbf7024

C:\odt\backgroundTaskHost.exe

MD5 662290f458afb73df9df2e3245b4c0b6
SHA1 6278b4a95a718b42b91b9714a32dded4fd6ffc0e
SHA256 aba696a34049ea7d188bf6366797cc2f708c75417ecf6e193d29a7e01acc7640
SHA512 58d364202888cd7a9ffcb6ad3b3e337bb415b45c2f013c59bacb944f6f4c38cce22891c60659deb7558732a75973147bf78f2e6033de68fdc81d982364d11028

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

MD5 9b0256da3bf9a5303141361b3da59823
SHA1 d73f34951777136c444eb2c98394f62912ebcdac
SHA256 96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA512 9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

C:\Users\Admin\AppData\Local\Temp\ab41a0df16d92f4034711e456d4c313a7ac7a831.exe

MD5 662290f458afb73df9df2e3245b4c0b6
SHA1 6278b4a95a718b42b91b9714a32dded4fd6ffc0e
SHA256 aba696a34049ea7d188bf6366797cc2f708c75417ecf6e193d29a7e01acc7640
SHA512 58d364202888cd7a9ffcb6ad3b3e337bb415b45c2f013c59bacb944f6f4c38cce22891c60659deb7558732a75973147bf78f2e6033de68fdc81d982364d11028

C:\Users\Admin\AppData\Local\Temp\600259e1-1932-4b2a-ae21-d3b49c2bbc36.vbs

MD5 8f2dc3bdc9004ce03a6f79d348a1da4d
SHA1 a63427416e6bfaf0698b0f25db0e6aa089ba73f6
SHA256 d643f0983326c089cd42db2c9db4d4aee3fb585eda7ed7029b0186a12f3ed538
SHA512 d0b1ab67451d7079e7c3ca36492e64be4ec0ac19890d232a41f1d7813f46f0047b54093229bdd2e534fabc9410e929690bb8a57f5805d768789204b65dbf7024

C:\Users\Admin\AppData\Local\Temp\600259e1-1932-4b2a-ae21-d3b49c2bbc36.vbs

MD5 8f2dc3bdc9004ce03a6f79d348a1da4d
SHA1 a63427416e6bfaf0698b0f25db0e6aa089ba73f6
SHA256 d643f0983326c089cd42db2c9db4d4aee3fb585eda7ed7029b0186a12f3ed538
SHA512 d0b1ab67451d7079e7c3ca36492e64be4ec0ac19890d232a41f1d7813f46f0047b54093229bdd2e534fabc9410e929690bb8a57f5805d768789204b65dbf7024

C:\Users\Admin\AppData\Local\Temp\4db556d6-1db3-4f25-9272-2e713f3a6062.vbs

MD5 9a31c951f04889231e8d26a196fb5514
SHA1 66a121716fb6c653cf96f2da52ace7a3beea20d4
SHA256 10c27c103d11dd7475be13690f65a0bb688a58875023ae8e3a126c4fceb25166
SHA512 afa83c8a1e4e2fb62d5ec4697edecbdbf3b5d6ae2ed3bb4f6eb84bee2d54458dd9e0338e0ce14a466023e37b9538897f3c662285090ff69e88677cfcc2f4b985