Malware Analysis Report

2025-08-11 06:15

Sample ID 231118-dfsklaah3s
Target NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe
SHA256 6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

Threat Level: Known bad

The file NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

UAC bypass

Dcrat family

DCRat payload

Process spawned unexpected child process

DcRat

DCRat payload

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Uses Task Scheduler COM API

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-18 02:57

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-18 02:57

Reported

2023-11-18 03:00

Platform

win7-20231023-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\smss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\smss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\RCX9EB7.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\RCX9EB8.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files (x86)\Google\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\en-US\RCX9A80.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files (x86)\Google\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\en-US\RCX9A02.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files (x86)\Google\RCX9C93.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files (x86)\Google\RCX9CA4.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files (x86)\Google\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A
N/A N/A C:\Users\All Users\Documents\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1320 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Users\All Users\Documents\smss.exe
PID 1320 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Users\All Users\Documents\smss.exe
PID 1320 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Users\All Users\Documents\smss.exe
PID 1600 wrote to memory of 2724 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 1600 wrote to memory of 2724 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 1600 wrote to memory of 2724 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 1600 wrote to memory of 1628 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 1600 wrote to memory of 1628 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 1600 wrote to memory of 1628 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 2724 wrote to memory of 2792 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\smss.exe
PID 2724 wrote to memory of 2792 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\smss.exe
PID 2724 wrote to memory of 2792 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\smss.exe
PID 2792 wrote to memory of 1100 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 2792 wrote to memory of 1100 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 2792 wrote to memory of 1100 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 2792 wrote to memory of 2696 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 2792 wrote to memory of 2696 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 2792 wrote to memory of 2696 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 1100 wrote to memory of 2828 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\smss.exe
PID 1100 wrote to memory of 2828 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\smss.exe
PID 1100 wrote to memory of 2828 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\smss.exe
PID 2828 wrote to memory of 2428 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 2828 wrote to memory of 2428 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 2828 wrote to memory of 2428 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 2828 wrote to memory of 1620 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 2828 wrote to memory of 1620 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe
PID 2828 wrote to memory of 1620 N/A C:\Users\All Users\Documents\smss.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\smss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\audiodg.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Users\All Users\Documents\smss.exe

"C:\Users\All Users\Documents\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60c016ce-e911-468c-8b5b-9258fff19634.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59a1127d-ec24-45d1-9edf-6832273bb0a7.vbs"

C:\Users\All Users\Documents\smss.exe

"C:\Users\All Users\Documents\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f1e8466-88bd-41ef-9e26-a0c5b746ecc5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74e596a9-a030-4722-ab3f-678150867930.vbs"

C:\Users\All Users\Documents\smss.exe

"C:\Users\All Users\Documents\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4823b02f-678b-49ce-b8c3-efa8c15d028c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\283103aa-2958-4c01-82e5-36c16518f179.vbs"

Network

Country Destination Domain Proto
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp

Files

memory/1320-0-0x0000000000D60000-0x0000000000ECC000-memory.dmp

memory/1320-1-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

memory/1320-2-0x000000001B200000-0x000000001B280000-memory.dmp

memory/1320-3-0x0000000000160000-0x000000000016E000-memory.dmp

memory/1320-4-0x0000000000560000-0x0000000000568000-memory.dmp

memory/1320-5-0x0000000000B70000-0x0000000000B8C000-memory.dmp

memory/1320-6-0x0000000000B90000-0x0000000000B98000-memory.dmp

memory/1320-7-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

memory/1320-8-0x0000000000D40000-0x0000000000D56000-memory.dmp

memory/1320-9-0x00000000022D0000-0x00000000022E0000-memory.dmp

memory/1320-10-0x00000000022E0000-0x00000000022EA000-memory.dmp

memory/1320-11-0x000000001A770000-0x000000001A77C000-memory.dmp

memory/1320-12-0x000000001A780000-0x000000001A78C000-memory.dmp

memory/1320-13-0x000000001A790000-0x000000001A798000-memory.dmp

memory/1320-14-0x000000001A7A0000-0x000000001A7AC000-memory.dmp

memory/1320-15-0x000000001A8E0000-0x000000001A8E8000-memory.dmp

memory/1320-16-0x000000001A7B0000-0x000000001A7BA000-memory.dmp

memory/1320-17-0x000000001A7C0000-0x000000001A7CE000-memory.dmp

memory/1320-18-0x000000001A7D0000-0x000000001A7D8000-memory.dmp

memory/1320-19-0x000000001A8F0000-0x000000001A8FE000-memory.dmp

memory/1320-20-0x000000001B200000-0x000000001B280000-memory.dmp

memory/1320-21-0x000000001A900000-0x000000001A90C000-memory.dmp

memory/1320-22-0x000000001ACE0000-0x000000001ACE8000-memory.dmp

memory/1320-23-0x000000001ACF0000-0x000000001ACFA000-memory.dmp

memory/1320-24-0x000000001AD00000-0x000000001AD0C000-memory.dmp

memory/1320-33-0x000000001B200000-0x000000001B280000-memory.dmp

C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\audiodg.exe

MD5 5e2ccb97d6bf2f8bedd6d473079c33b0
SHA1 699314bf74a661917771308e7cd6d6b618af2827
SHA256 6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA512 0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

memory/1320-37-0x000000001B200000-0x000000001B280000-memory.dmp

memory/1320-54-0x000000001B200000-0x000000001B280000-memory.dmp

C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe

MD5 40b8ab027d105aef6ee81351cbf33e01
SHA1 d58d8d96d96b41965e8ae67d0956157c0ce7a9d7
SHA256 9d26d8ab136e6703a8e98cb36847b879bc9284da2ade8792d1f85ecdf600b02c
SHA512 2c50c1238c731f6fb546cda371a4cdbcb6e58fecb92e14321217155a3c55dc2dffad34ea5271a1069c33b44d87775d453701b47e243336eb83d9869190d76e0c

memory/1320-66-0x000000001B200000-0x000000001B280000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 3f21815d5378acb11617b0a9d0dab29a
SHA1 15ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA256 5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512 eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KQYPVYHCJY6ZSDUUPIHJ.temp

MD5 3f21815d5378acb11617b0a9d0dab29a
SHA1 15ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA256 5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512 eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 3f21815d5378acb11617b0a9d0dab29a
SHA1 15ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA256 5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512 eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

memory/1600-134-0x0000000000E30000-0x0000000000F9C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 3f21815d5378acb11617b0a9d0dab29a
SHA1 15ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA256 5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512 eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 3f21815d5378acb11617b0a9d0dab29a
SHA1 15ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA256 5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512 eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

C:\Users\All Users\Documents\smss.exe

MD5 5e2ccb97d6bf2f8bedd6d473079c33b0
SHA1 699314bf74a661917771308e7cd6d6b618af2827
SHA256 6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA512 0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 3f21815d5378acb11617b0a9d0dab29a
SHA1 15ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA256 5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512 eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

C:\Users\Public\Documents\smss.exe

MD5 5e2ccb97d6bf2f8bedd6d473079c33b0
SHA1 699314bf74a661917771308e7cd6d6b618af2827
SHA256 6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA512 0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 3f21815d5378acb11617b0a9d0dab29a
SHA1 15ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA256 5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512 eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 3f21815d5378acb11617b0a9d0dab29a
SHA1 15ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA256 5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512 eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 3f21815d5378acb11617b0a9d0dab29a
SHA1 15ae09559113259f5ee4f4580dd6cd07ee73a81b
SHA256 5df0cb3ee007bf9af236f9120c26bedeb0621daff60249a7ca2e601a486b01b9
SHA512 eac7e1c8291b1699836583acf6c541344ccc1d08b5d54cea21a96bbc1f0f11e1cf693852b75446c616cefcd2eec3ff59a0212e725b852f1c1999d47faca7fab3

memory/1320-159-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

memory/2988-168-0x000000001B3A0000-0x000000001B682000-memory.dmp

memory/2988-169-0x0000000001E50000-0x0000000001E58000-memory.dmp

memory/2216-171-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

memory/2440-170-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

memory/2440-174-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

memory/2236-177-0x00000000024B4000-0x00000000024B7000-memory.dmp

memory/2236-181-0x00000000024BB000-0x0000000002522000-memory.dmp

memory/2440-180-0x0000000002474000-0x0000000002477000-memory.dmp

memory/1260-184-0x00000000026F4000-0x00000000026F7000-memory.dmp

memory/1260-186-0x00000000026FB000-0x0000000002762000-memory.dmp

memory/2160-187-0x00000000025C4000-0x00000000025C7000-memory.dmp

memory/2160-185-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/2160-189-0x00000000025CB000-0x0000000002632000-memory.dmp

memory/2988-188-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

memory/2312-190-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

memory/2312-192-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/2988-191-0x0000000002AB4000-0x0000000002AB7000-memory.dmp

memory/1600-194-0x000000001B2E0000-0x000000001B360000-memory.dmp

memory/2988-193-0x0000000002ABB000-0x0000000002B22000-memory.dmp

memory/2160-183-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

memory/2036-195-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

memory/2312-198-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/2036-200-0x00000000026A0000-0x0000000002720000-memory.dmp

memory/1204-199-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

memory/2036-197-0x00000000026A4000-0x00000000026A7000-memory.dmp

memory/2312-196-0x0000000002764000-0x0000000002767000-memory.dmp

memory/2440-182-0x000000000247B000-0x00000000024E2000-memory.dmp

memory/1260-179-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

memory/2216-178-0x000000000261B000-0x0000000002682000-memory.dmp

memory/2216-176-0x0000000002614000-0x0000000002617000-memory.dmp

memory/2216-175-0x0000000002610000-0x0000000002690000-memory.dmp

memory/2236-173-0x000007FEECCF0000-0x000007FEED68D000-memory.dmp

memory/2440-172-0x0000000002470000-0x00000000024F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\59a1127d-ec24-45d1-9edf-6832273bb0a7.vbs

MD5 ff5b97fb6306c641466d345413c11681
SHA1 8645270aa952670b602b443516931ad7b5fffe04
SHA256 5acce3db4501af0de745f5b1b3e7fe36df0c0a0e51dd93cbb6cc2eb7130bb639
SHA512 04928f51a6396437856202b87c1809e12c96e87d7faeddc7d02b70fabd7f1b79bfa54a35df5ccc02998e2e969d89c2985ba3398cbd59fcea9a85433270ed0eda

C:\Users\Admin\AppData\Local\Temp\60c016ce-e911-468c-8b5b-9258fff19634.vbs

MD5 76626e8ba1160dfbd543304eea886658
SHA1 590612efde4ec67322f0e0c5d7c81d2788f4d5cb
SHA256 5c0c925cc7db33998430377e00bc30ffa968c7654b357f8d0ac85cef86674b25
SHA512 233d0476b74e56544c7ff0f703cfb6187b5d52b5e3a7e58baddf18401593233089cde386da9a100c39be1253d90022d428149c1bbabbb63d5390282702ff0905

C:\Users\Public\Documents\smss.exe

MD5 5e2ccb97d6bf2f8bedd6d473079c33b0
SHA1 699314bf74a661917771308e7cd6d6b618af2827
SHA256 6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA512 0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

C:\Users\Admin\AppData\Local\Temp\f41ca93d8deb491c3651a25177edbfdec809d4f4.exe

MD5 5e2ccb97d6bf2f8bedd6d473079c33b0
SHA1 699314bf74a661917771308e7cd6d6b618af2827
SHA256 6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA512 0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

C:\Users\Admin\AppData\Local\Temp\0f1e8466-88bd-41ef-9e26-a0c5b746ecc5.vbs

MD5 cebd39c9e4f83323f870f0a926bb9507
SHA1 229916c57c503b9f5deb269a5bb13d5fa92f574a
SHA256 0db7f2c37d1ce5a476acb3975f8b64d93a1071257c483696e8b58db82bc6382d
SHA512 e5e7e34846fba1eff398336d933293d119f3255e9baaf3d69bbb98ca0e92cef0a969c9836b304df2f2481c26658c114c176075ef328212e3442e14fda6c7bcbe

C:\Users\Admin\AppData\Local\Temp\74e596a9-a030-4722-ab3f-678150867930.vbs

MD5 ff5b97fb6306c641466d345413c11681
SHA1 8645270aa952670b602b443516931ad7b5fffe04
SHA256 5acce3db4501af0de745f5b1b3e7fe36df0c0a0e51dd93cbb6cc2eb7130bb639
SHA512 04928f51a6396437856202b87c1809e12c96e87d7faeddc7d02b70fabd7f1b79bfa54a35df5ccc02998e2e969d89c2985ba3398cbd59fcea9a85433270ed0eda

C:\Users\Admin\AppData\Local\Temp\74e596a9-a030-4722-ab3f-678150867930.vbs

MD5 ff5b97fb6306c641466d345413c11681
SHA1 8645270aa952670b602b443516931ad7b5fffe04
SHA256 5acce3db4501af0de745f5b1b3e7fe36df0c0a0e51dd93cbb6cc2eb7130bb639
SHA512 04928f51a6396437856202b87c1809e12c96e87d7faeddc7d02b70fabd7f1b79bfa54a35df5ccc02998e2e969d89c2985ba3398cbd59fcea9a85433270ed0eda

C:\Users\Public\Documents\smss.exe

MD5 5e2ccb97d6bf2f8bedd6d473079c33b0
SHA1 699314bf74a661917771308e7cd6d6b618af2827
SHA256 6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA512 0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

C:\Users\Admin\AppData\Local\Temp\f41ca93d8deb491c3651a25177edbfdec809d4f4.exe

MD5 5e2ccb97d6bf2f8bedd6d473079c33b0
SHA1 699314bf74a661917771308e7cd6d6b618af2827
SHA256 6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA512 0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

C:\Users\Admin\AppData\Local\Temp\4823b02f-678b-49ce-b8c3-efa8c15d028c.vbs

MD5 312bb5bc5578762f5103fc9dd52a9cda
SHA1 8268048dde68f3a9adefc1985b421c01c782586d
SHA256 3e94ff29e3645c26ff2ef289cd2e6ffbc0d0f83aa3071ae652259a76721a7c05
SHA512 a1418d2e305b48b8277dca299dc3dd7d1e6e8878374371a2d480f271388634b319a67e646fd0d4f9eb4319b4d8f5d86cc34d48a9918f8ef4edc98ffee6d5c940

C:\Users\Admin\AppData\Local\Temp\283103aa-2958-4c01-82e5-36c16518f179.vbs

MD5 ff5b97fb6306c641466d345413c11681
SHA1 8645270aa952670b602b443516931ad7b5fffe04
SHA256 5acce3db4501af0de745f5b1b3e7fe36df0c0a0e51dd93cbb6cc2eb7130bb639
SHA512 04928f51a6396437856202b87c1809e12c96e87d7faeddc7d02b70fabd7f1b79bfa54a35df5ccc02998e2e969d89c2985ba3398cbd59fcea9a85433270ed0eda

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-18 02:57

Reported

2023-11-18 03:00

Platform

win10v2004-20231020-en

Max time kernel

159s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC40.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RCX2D2.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RCX2E2.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\RCXA1B.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXFC82.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXCCE.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXFC83.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RCXFE98.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RCXFE99.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\RCXA2C.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Resources\Ease of Access Themes\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Windows\Resources\Ease of Access Themes\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Windows\Resources\Ease of Access Themes\RCX4F7.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Windows\Resources\Ease of Access Themes\RCX584.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File opened for modification C:\Windows\Resources\Ease of Access Themes\System.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
File created C:\Windows\ImmersiveControlPanel\es-ES\services.exe C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 5504 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe
PID 2424 wrote to memory of 5504 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe
PID 5504 wrote to memory of 5672 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe C:\Windows\System32\WScript.exe
PID 5504 wrote to memory of 5672 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe C:\Windows\System32\WScript.exe
PID 5504 wrote to memory of 5600 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe C:\Windows\System32\WScript.exe
PID 5504 wrote to memory of 5600 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe C:\Windows\System32\WScript.exe
PID 5672 wrote to memory of 5360 N/A C:\Windows\System32\WScript.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe
PID 5672 wrote to memory of 5360 N/A C:\Windows\System32\WScript.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe
PID 5360 wrote to memory of 5376 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe C:\Windows\System32\WScript.exe
PID 5360 wrote to memory of 5376 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe C:\Windows\System32\WScript.exe
PID 5360 wrote to memory of 5308 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe C:\Windows\System32\WScript.exe
PID 5360 wrote to memory of 5308 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe C:\Windows\System32\WScript.exe
PID 5376 wrote to memory of 2700 N/A C:\Windows\System32\WScript.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe
PID 5376 wrote to memory of 2700 N/A C:\Windows\System32\WScript.exe C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe
PID 2700 wrote to memory of 2924 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe C:\Windows\System32\WScript.exe
PID 2700 wrote to memory of 2924 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe C:\Windows\System32\WScript.exe
PID 2700 wrote to memory of 3964 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe C:\Windows\System32\WScript.exe
PID 2700 wrote to memory of 3964 N/A C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Ease of Access Themes\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Ease of Access Themes\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\odt\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db891c56-9be3-4948-8d71-ef50d2690d66.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\229c264e-eaa2-4747-8101-d27050df70c4.vbs"

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\749528d9-d491-47f5-aee3-c6ad106a9dbe.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b419a1a-9570-4208-b185-6f2eab245d33.vbs"

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe

"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb357d0b-eebf-485b-97b5-712a2ed5cbba.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95d425b5-178e-4d9b-8bfe-4349d79ee7f3.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 122.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 107.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
UA 77.123.31.10:8080 tcp

Files

memory/2424-0-0x0000000000B50000-0x0000000000CBC000-memory.dmp

memory/2424-1-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

memory/2424-2-0x000000001BB90000-0x000000001BBA0000-memory.dmp

memory/2424-3-0x0000000002FE0000-0x0000000002FEE000-memory.dmp

memory/2424-4-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

memory/2424-5-0x000000001B8D0000-0x000000001B8EC000-memory.dmp

memory/2424-6-0x000000001B940000-0x000000001B990000-memory.dmp

memory/2424-7-0x000000001B8F0000-0x000000001B8F8000-memory.dmp

memory/2424-8-0x000000001B900000-0x000000001B910000-memory.dmp

memory/2424-9-0x000000001B910000-0x000000001B926000-memory.dmp

memory/2424-10-0x000000001B930000-0x000000001B940000-memory.dmp

memory/2424-11-0x000000001BAA0000-0x000000001BAAA000-memory.dmp

memory/2424-12-0x000000001BAB0000-0x000000001BABC000-memory.dmp

memory/2424-13-0x000000001BAC0000-0x000000001BACC000-memory.dmp

memory/2424-14-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

memory/2424-15-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

memory/2424-16-0x000000001BB20000-0x000000001BB28000-memory.dmp

memory/2424-18-0x000000001BB90000-0x000000001BBA0000-memory.dmp

memory/2424-20-0x000000001BB90000-0x000000001BBA0000-memory.dmp

memory/2424-19-0x0000000002FA0000-0x0000000002FAE000-memory.dmp

memory/2424-17-0x0000000002F90000-0x0000000002F9A000-memory.dmp

memory/2424-21-0x0000000002FB0000-0x0000000002FB8000-memory.dmp

memory/2424-22-0x0000000002FC0000-0x0000000002FCE000-memory.dmp

memory/2424-23-0x000000001BAF0000-0x000000001BAFC000-memory.dmp

memory/2424-24-0x000000001BB00000-0x000000001BB08000-memory.dmp

memory/2424-25-0x000000001BB10000-0x000000001BB1A000-memory.dmp

memory/2424-26-0x000000001BB70000-0x000000001BB7C000-memory.dmp

memory/2424-29-0x000000001BB90000-0x000000001BBA0000-memory.dmp

C:\Windows\Resources\Ease of Access Themes\System.exe

MD5 5e2ccb97d6bf2f8bedd6d473079c33b0
SHA1 699314bf74a661917771308e7cd6d6b618af2827
SHA256 6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA512 0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

memory/2424-51-0x000000001BB90000-0x000000001BBA0000-memory.dmp

C:\Windows\Resources\Ease of Access Themes\System.exe

MD5 9c3caf358a154b0ad16b39bc268e8fa0
SHA1 5aed72c786c54abf6437dbfd3929ad633bd7b940
SHA256 a521c3be86728c55f9aac6c330dbd704dc1927beb312236f34b0cb5482295d96
SHA512 44dad40780500dd6b2705979d66058e82c04fce82e425f0a1b8e0841be37e7038fc15c0d14db99851b6bf1602a7f25a9941b3097b52350efb303f508ac12765a

memory/2424-128-0x000000001C880000-0x000000001C980000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe

MD5 1ecfae0fc756d98d3d8892e610af1e21
SHA1 4a6a2ff7d044f4ae1dac43c4b116cc6adb8bebbc
SHA256 532d50a9c11b17415c6d1ff2fadec8513962fa60811815179425319ef510f7ee
SHA512 c3b12bb1c537e931e822a60319568abc740193b8ea4861451c2636c5ccc727e0e484ba89e56f1cef4689d8c578300e097142e676eb3a39979de54bab03cc4439

C:\odt\sysmon.exe

MD5 eb54b734dce6b99765cfb815d9de9bb2
SHA1 5ab3d016e9c75fc465c3c742503a3b06e44bef85
SHA256 502bd19b4632ec42df5ca0c541b0b02d7aeefc302d41c8d4b35e8c5d084cc87f
SHA512 725af1e9bbbcfcca5b76a9f8cfd903edf962c9399143249728ce904ec5a1822af1572ad24fee83ad16c358054c65aaa944ed59be7f87b7b76163a3d0709a6f58

C:\ProgramData\upfc.exe

MD5 aaf836b48a20837229d669d91b1e6c37
SHA1 9aa0ba258afc28939a271e6a809bfc95645287a3
SHA256 66afac73bf70cb149180ebc2b44269998eded52254c01f707e41c4b39181ea38
SHA512 407b6b5de69618c1c4b1abaecb7f77bdc360fa60323c7ccdd5724cd30bd584df3e0fe61779335bc55f561e527957e5a380693e6045d4c4c200c1f72d23a482f2

memory/3456-234-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

memory/2424-235-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

memory/2700-247-0x000001F7B6DB0000-0x000001F7B6DC0000-memory.dmp

memory/2700-236-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

memory/3456-243-0x000001AD799E0000-0x000001AD79A02000-memory.dmp

memory/2700-248-0x000001F7B6DB0000-0x000001F7B6DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yjhaba41.zte.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4532-249-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

memory/4532-259-0x0000024CF10C0000-0x0000024CF10D0000-memory.dmp

memory/4532-260-0x0000024CF10C0000-0x0000024CF10D0000-memory.dmp

memory/3844-276-0x0000021D759F0000-0x0000021D75A00000-memory.dmp

memory/3844-261-0x0000021D759F0000-0x0000021D75A00000-memory.dmp

memory/2972-337-0x000001F441110000-0x000001F441120000-memory.dmp

memory/2972-333-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe

MD5 5e2ccb97d6bf2f8bedd6d473079c33b0
SHA1 699314bf74a661917771308e7cd6d6b618af2827
SHA256 6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA512 0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe

MD5 5e2ccb97d6bf2f8bedd6d473079c33b0
SHA1 699314bf74a661917771308e7cd6d6b618af2827
SHA256 6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA512 0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

memory/1012-366-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

memory/2424-367-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

memory/3816-368-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

memory/3816-370-0x00000166E9A90000-0x00000166E9AA0000-memory.dmp

memory/1012-369-0x000001891F870000-0x000001891F880000-memory.dmp

memory/1848-371-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

memory/1848-372-0x00000286A8B80000-0x00000286A8B90000-memory.dmp

memory/1816-373-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

memory/1848-374-0x00000286A8B80000-0x00000286A8B90000-memory.dmp

memory/1816-375-0x000001FC5A320000-0x000001FC5A330000-memory.dmp

memory/1816-377-0x000001FC5A320000-0x000001FC5A330000-memory.dmp

memory/2268-376-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

memory/2268-378-0x000001FBF5F40000-0x000001FBF5F50000-memory.dmp

memory/1756-379-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

memory/1756-380-0x00000282D93C0000-0x00000282D93D0000-memory.dmp

memory/4644-381-0x000001EEB3EC0000-0x000001EEB3ED0000-memory.dmp

memory/1848-382-0x00000286A8B80000-0x00000286A8B90000-memory.dmp

memory/5504-383-0x000000001BF40000-0x000000001BF50000-memory.dmp

memory/4644-384-0x000001EEB3EC0000-0x000001EEB3ED0000-memory.dmp

memory/3456-385-0x000001AD79810000-0x000001AD79820000-memory.dmp

memory/3844-386-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17fbfbe3f04595e251287a6bfcdc35de
SHA1 b576aabfd5e6d5799d487011506ed1ae70688987
SHA256 2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512 449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17fbfbe3f04595e251287a6bfcdc35de
SHA1 b576aabfd5e6d5799d487011506ed1ae70688987
SHA256 2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512 449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17fbfbe3f04595e251287a6bfcdc35de
SHA1 b576aabfd5e6d5799d487011506ed1ae70688987
SHA256 2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512 449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8ce785f8ccc6d202d56fefc59764945
SHA1 ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256 d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA512 66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17fbfbe3f04595e251287a6bfcdc35de
SHA1 b576aabfd5e6d5799d487011506ed1ae70688987
SHA256 2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512 449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17fbfbe3f04595e251287a6bfcdc35de
SHA1 b576aabfd5e6d5799d487011506ed1ae70688987
SHA256 2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512 449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17fbfbe3f04595e251287a6bfcdc35de
SHA1 b576aabfd5e6d5799d487011506ed1ae70688987
SHA256 2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512 449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

C:\Users\Admin\AppData\Local\Temp\db891c56-9be3-4948-8d71-ef50d2690d66.vbs

MD5 1dfc292a98891f836f589fe53d139f74
SHA1 806b3f6a003e0519594d1c60b0ba6fdcdca4746a
SHA256 1d953e61f09dc1489bce5da7708092eb983f163f185144f57f754812189f74a8
SHA512 69f3ec7ea0b13d13dcf80cc77c62b96f97a3c7df20dc043396a13eacb99b59d1119eeb4b759d31c63379209b51cd99c396aa1572aa70e1faac11c66bd6dc781f

C:\Users\Admin\AppData\Local\Temp\229c264e-eaa2-4747-8101-d27050df70c4.vbs

MD5 6e9bbd2f1a1bc765611caddb63c92e67
SHA1 ef4d626338e16d1e891e9cd347d16f9547c9da64
SHA256 c1ba202b6a6afda021cc4430128734e9e3dc1033da43357644f341a55d2607dc
SHA512 27746d25faaada6f8e797501838f2e5cded0efeca93379db2589a14ae442e0e947d7a0c6d21193dfed5361d3680f928988cde31e1f8a10172c62903283fe011d

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe

MD5 5e2ccb97d6bf2f8bedd6d473079c33b0
SHA1 699314bf74a661917771308e7cd6d6b618af2827
SHA256 6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA512 0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

MD5 9b0256da3bf9a5303141361b3da59823
SHA1 d73f34951777136c444eb2c98394f62912ebcdac
SHA256 96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA512 9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

C:\Users\Admin\AppData\Local\Temp\ab41a0df16d92f4034711e456d4c313a7ac7a831.exe

MD5 5e2ccb97d6bf2f8bedd6d473079c33b0
SHA1 699314bf74a661917771308e7cd6d6b618af2827
SHA256 6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA512 0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

C:\Users\Admin\AppData\Local\Temp\3b419a1a-9570-4208-b185-6f2eab245d33.vbs

MD5 6e9bbd2f1a1bc765611caddb63c92e67
SHA1 ef4d626338e16d1e891e9cd347d16f9547c9da64
SHA256 c1ba202b6a6afda021cc4430128734e9e3dc1033da43357644f341a55d2607dc
SHA512 27746d25faaada6f8e797501838f2e5cded0efeca93379db2589a14ae442e0e947d7a0c6d21193dfed5361d3680f928988cde31e1f8a10172c62903283fe011d

C:\Users\Admin\AppData\Local\Temp\749528d9-d491-47f5-aee3-c6ad106a9dbe.vbs

MD5 842cd4719713fc8a4042cbae3ffa046e
SHA1 34242f42686f484dbfd549fc471c81890630db60
SHA256 668a5a3c5df19c798475cd5aee11d05331bd9b8617affc2e9a4fcc1d28f0bfd8
SHA512 ea9a5d90dd8eac04f3dfb1761ded5caeefd299322fcbd32ff487070a49707b120762d2a769447be846691eba8968107813622bd7b6a73453ba60713a69e81fbd

C:\Users\Admin\AppData\Local\Temp\3b419a1a-9570-4208-b185-6f2eab245d33.vbs

MD5 6e9bbd2f1a1bc765611caddb63c92e67
SHA1 ef4d626338e16d1e891e9cd347d16f9547c9da64
SHA256 c1ba202b6a6afda021cc4430128734e9e3dc1033da43357644f341a55d2607dc
SHA512 27746d25faaada6f8e797501838f2e5cded0efeca93379db2589a14ae442e0e947d7a0c6d21193dfed5361d3680f928988cde31e1f8a10172c62903283fe011d

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe

MD5 5e2ccb97d6bf2f8bedd6d473079c33b0
SHA1 699314bf74a661917771308e7cd6d6b618af2827
SHA256 6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3
SHA512 0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

C:\Users\Admin\AppData\Local\Temp\ab41a0df16d92f4034711e456d4c313a7ac7a831.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\eb357d0b-eebf-485b-97b5-712a2ed5cbba.vbs

MD5 a86c25657d7182ff4e92546a5c26ba03
SHA1 fd8960561484d309747d731e3f47241aa0b4ead1
SHA256 7cdad492f7ab3baa12cc31b72611986a63d8e18b65dace5979d7e1c964a02f69
SHA512 18738c0a0da53c640bcfbae970fb34dc3ee11d4588e97222a8ce908d5a586b83381ebf46a0833847541c15077f5542d5c8059933b7c9c613b173603107aaa558

C:\Users\Admin\AppData\Local\Temp\95d425b5-178e-4d9b-8bfe-4349d79ee7f3.vbs

MD5 6e9bbd2f1a1bc765611caddb63c92e67
SHA1 ef4d626338e16d1e891e9cd347d16f9547c9da64
SHA256 c1ba202b6a6afda021cc4430128734e9e3dc1033da43357644f341a55d2607dc
SHA512 27746d25faaada6f8e797501838f2e5cded0efeca93379db2589a14ae442e0e947d7a0c6d21193dfed5361d3680f928988cde31e1f8a10172c62903283fe011d