Malware Analysis Report

2025-08-11 06:15

Sample ID 231118-ff4c7sbb76
Target NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe
SHA256 12bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5

Threat Level: Known bad

The file NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

UAC bypass

Process spawned unexpected child process

DcRat

Dcrat family

DCRat payload

DCRat payload

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Creates scheduled task(s)

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-18 04:49

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-18 04:49

Reported

2023-11-18 04:52

Platform

win7-20231025-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\TAPI\spoolsv.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\TAPI\spoolsv.exe N/A
N/A N/A C:\Windows\TAPI\spoolsv.exe N/A
N/A N/A C:\Windows\TAPI\spoolsv.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\TAPI\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\TAPI\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\TAPI\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\RCX62AB.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\RCX62BC.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCX6E2A.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File created C:\Program Files (x86)\Uninstall Information\services.exe C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File created C:\Program Files (x86)\Uninstall Information\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCX6E98.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\services.exe C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ShellNew\RCX64CF.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Windows\ShellNew\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Windows\fr-FR\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Windows\TAPI\RCX77E4.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File created C:\Windows\inf\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File created C:\Windows\TAPI\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Windows\inf\RCX709C.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Windows\inf\Idle.exe C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Windows\TAPI\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File created C:\Windows\ShellNew\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File created C:\Windows\inf\Idle.exe C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File created C:\Windows\fr-FR\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File created C:\Windows\TAPI\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Windows\TAPI\RCX7766.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File created C:\Windows\ShellNew\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Windows\ShellNew\RCX64D0.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Windows\inf\RCX710A.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Windows\fr-FR\RCX732D.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Windows\fr-FR\RCX733E.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File created C:\Windows\fr-FR\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\TAPI\spoolsv.exe N/A
N/A N/A C:\Windows\TAPI\spoolsv.exe N/A
N/A N/A C:\Windows\TAPI\spoolsv.exe N/A
N/A N/A C:\Windows\TAPI\spoolsv.exe N/A
N/A N/A C:\Windows\TAPI\spoolsv.exe N/A
N/A N/A C:\Windows\TAPI\spoolsv.exe N/A
N/A N/A C:\Windows\TAPI\spoolsv.exe N/A
N/A N/A C:\Windows\TAPI\spoolsv.exe N/A
N/A N/A C:\Windows\TAPI\spoolsv.exe N/A
N/A N/A C:\Windows\TAPI\spoolsv.exe N/A
N/A N/A C:\Windows\TAPI\spoolsv.exe N/A
N/A N/A C:\Windows\TAPI\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\TAPI\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\TAPI\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\TAPI\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\cmd.exe
PID 2056 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\cmd.exe
PID 2056 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\cmd.exe
PID 2532 wrote to memory of 2868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2532 wrote to memory of 2868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2532 wrote to memory of 2868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2532 wrote to memory of 2776 N/A C:\Windows\System32\cmd.exe C:\Windows\TAPI\spoolsv.exe
PID 2532 wrote to memory of 2776 N/A C:\Windows\System32\cmd.exe C:\Windows\TAPI\spoolsv.exe
PID 2532 wrote to memory of 2776 N/A C:\Windows\System32\cmd.exe C:\Windows\TAPI\spoolsv.exe
PID 2776 wrote to memory of 300 N/A C:\Windows\TAPI\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2776 wrote to memory of 300 N/A C:\Windows\TAPI\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2776 wrote to memory of 300 N/A C:\Windows\TAPI\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2776 wrote to memory of 1744 N/A C:\Windows\TAPI\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2776 wrote to memory of 1744 N/A C:\Windows\TAPI\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2776 wrote to memory of 1744 N/A C:\Windows\TAPI\spoolsv.exe C:\Windows\System32\WScript.exe
PID 300 wrote to memory of 1712 N/A C:\Windows\System32\WScript.exe C:\Windows\TAPI\spoolsv.exe
PID 300 wrote to memory of 1712 N/A C:\Windows\System32\WScript.exe C:\Windows\TAPI\spoolsv.exe
PID 300 wrote to memory of 1712 N/A C:\Windows\System32\WScript.exe C:\Windows\TAPI\spoolsv.exe
PID 1712 wrote to memory of 2348 N/A C:\Windows\TAPI\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 2348 N/A C:\Windows\TAPI\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 2348 N/A C:\Windows\TAPI\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 2108 N/A C:\Windows\TAPI\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 2108 N/A C:\Windows\TAPI\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 2108 N/A C:\Windows\TAPI\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2348 wrote to memory of 1296 N/A C:\Windows\System32\WScript.exe C:\Windows\TAPI\spoolsv.exe
PID 2348 wrote to memory of 1296 N/A C:\Windows\System32\WScript.exe C:\Windows\TAPI\spoolsv.exe
PID 2348 wrote to memory of 1296 N/A C:\Windows\System32\WScript.exe C:\Windows\TAPI\spoolsv.exe
PID 1296 wrote to memory of 1528 N/A C:\Windows\TAPI\spoolsv.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\TAPI\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\TAPI\spoolsv.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\73725a82-739a-11ee-b301-ca9cbbc363d2\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\73725a82-739a-11ee-b301-ca9cbbc363d2\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\73725a82-739a-11ee-b301-ca9cbbc363d2\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\inf\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\inf\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\fr-FR\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\spoolsv.exe'" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Za1gsZhFgS.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\TAPI\spoolsv.exe

"C:\Windows\TAPI\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79ed3703-1651-4abe-b12c-f7cf4ca16b17.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3646c697-abdf-416e-8de6-61131759a7ef.vbs"

C:\Windows\TAPI\spoolsv.exe

C:\Windows\TAPI\spoolsv.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\139d7c50-689c-408a-a21e-840dbe7afc86.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71f4e2f8-be33-4044-94b0-367163e01f37.vbs"

C:\Windows\TAPI\spoolsv.exe

C:\Windows\TAPI\spoolsv.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d46b765-2e98-4fc0-8ada-fa5da1670b9b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f2de0cc-e322-4e84-9387-7d98466202ad.vbs"

Network

Country Destination Domain Proto
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp

Files

memory/2056-0-0x0000000000F60000-0x00000000010CC000-memory.dmp

memory/2056-1-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

memory/2056-2-0x000000001B2F0000-0x000000001B370000-memory.dmp

memory/2056-3-0x0000000000140000-0x000000000014E000-memory.dmp

memory/2056-4-0x0000000000150000-0x0000000000158000-memory.dmp

memory/2056-5-0x00000000003F0000-0x000000000040C000-memory.dmp

memory/2056-6-0x0000000000160000-0x0000000000168000-memory.dmp

memory/2056-7-0x0000000000490000-0x00000000004A0000-memory.dmp

memory/2056-8-0x00000000004A0000-0x00000000004B6000-memory.dmp

memory/2056-9-0x0000000000640000-0x0000000000650000-memory.dmp

memory/2056-10-0x0000000000650000-0x000000000065A000-memory.dmp

memory/2056-11-0x0000000000660000-0x000000000066C000-memory.dmp

memory/2056-13-0x0000000000680000-0x0000000000688000-memory.dmp

memory/2056-12-0x0000000000670000-0x000000000067C000-memory.dmp

memory/2056-14-0x0000000000690000-0x000000000069C000-memory.dmp

memory/2056-15-0x00000000006B0000-0x00000000006B8000-memory.dmp

memory/2056-16-0x00000000006A0000-0x00000000006AA000-memory.dmp

memory/2056-19-0x00000000006E0000-0x00000000006EE000-memory.dmp

memory/2056-18-0x00000000006D0000-0x00000000006D8000-memory.dmp

memory/2056-17-0x00000000006C0000-0x00000000006CE000-memory.dmp

memory/2056-20-0x000000001B2F0000-0x000000001B370000-memory.dmp

memory/2056-21-0x0000000000B20000-0x0000000000B2C000-memory.dmp

memory/2056-22-0x0000000000B30000-0x0000000000B38000-memory.dmp

memory/2056-23-0x0000000000B40000-0x0000000000B4A000-memory.dmp

memory/2056-24-0x0000000000B50000-0x0000000000B5C000-memory.dmp

C:\MSOCache\All Users\services.exe

MD5 54df88c3e72b8d4229f6bf6adabef9e0
SHA1 c2c6ff9f9677cdeb3c88e81d97317977ca87e56e
SHA256 12bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5
SHA512 9c347e096251b7de0562633aaf0b36cb54e83c4ad3bac70fb77ed5c215034ba96674a23f0d532c318479f839e9320a1f5b75aa387371873edca3a3fecc22034d

memory/2056-35-0x000000001B2F0000-0x000000001B370000-memory.dmp

memory/2056-44-0x000000001B2F0000-0x000000001B370000-memory.dmp

memory/2056-48-0x000000001B2F0000-0x000000001B370000-memory.dmp

memory/2056-112-0x000000001B2F0000-0x000000001B370000-memory.dmp

C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe

MD5 7588612f5989cff445f47ab13f240791
SHA1 c9110ffb54f8f668df09de7cd31218163c0b8c6c
SHA256 12ad86590810cda787e267bc97058e233648e03ca31d8823efd8abec4204f297
SHA512 b5d9623162772cc6e18f15969f19f7a4f9ce180eaeb65dc835f36e4b8bb7d0d4eb6283c73d4527f784ef5527f77956e9a7d5d29d2576084446ca8bfee4cfe5fd

memory/2056-124-0x000000001B2F0000-0x000000001B370000-memory.dmp

memory/2056-149-0x000000001B2F0000-0x000000001B370000-memory.dmp

C:\Windows\TAPI\spoolsv.exe

MD5 85c563bbf1adc4274cfb479052de753f
SHA1 36ff2ef94abfea537615d076f78ac5b7ce0b248d
SHA256 4f27b889c2565391045fa158941cb47aef81bc16302a40c2c5ba3691739e3eb3
SHA512 b32f8b099981f1eb70d882376ec55c4fa5f613fe8565fe8f28ad538a742d551dfe2a3052450fd86f0994d79cb9611cf0b88f85baf844a5bc0753a387b227c26c

memory/2056-173-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

memory/2056-174-0x000000001B2F0000-0x000000001B370000-memory.dmp

memory/2056-181-0x000000001B2F0000-0x000000001B370000-memory.dmp

memory/2056-179-0x000000001B2F0000-0x000000001B370000-memory.dmp

memory/2056-196-0x000000001B2F0000-0x000000001B370000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a06e7aec2279ad807a2a29b3d144732d
SHA1 00a8aec3ccc96e383364db832c198e76160037bd
SHA256 72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91
SHA512 25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a06e7aec2279ad807a2a29b3d144732d
SHA1 00a8aec3ccc96e383364db832c198e76160037bd
SHA256 72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91
SHA512 25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G17U6U7JTE2BWCLDJ3CW.temp

MD5 a06e7aec2279ad807a2a29b3d144732d
SHA1 00a8aec3ccc96e383364db832c198e76160037bd
SHA256 72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91
SHA512 25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

memory/2420-197-0x000000001B290000-0x000000001B572000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a06e7aec2279ad807a2a29b3d144732d
SHA1 00a8aec3ccc96e383364db832c198e76160037bd
SHA256 72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91
SHA512 25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

memory/2420-203-0x0000000002410000-0x0000000002418000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a06e7aec2279ad807a2a29b3d144732d
SHA1 00a8aec3ccc96e383364db832c198e76160037bd
SHA256 72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91
SHA512 25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

memory/2056-209-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a06e7aec2279ad807a2a29b3d144732d
SHA1 00a8aec3ccc96e383364db832c198e76160037bd
SHA256 72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91
SHA512 25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

C:\Users\Admin\AppData\Local\Temp\Za1gsZhFgS.bat

MD5 14a7aa00262b97b8068a9165d7357897
SHA1 b450e88e116a51c69df117186232c883a55caa98
SHA256 f7bdb04ac601fa340125748d91e06da23e75f03e1f82412338dd66e781a1c391
SHA512 f2099d73e3481ab08eca10b8684d3484e7e93e46777b4d5389c105c70fa9422f93f2d1027a2a964cba9c6d212f5f2868b4ccf1d0eb2b655394700a55aaa9bf50

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a06e7aec2279ad807a2a29b3d144732d
SHA1 00a8aec3ccc96e383364db832c198e76160037bd
SHA256 72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91
SHA512 25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a06e7aec2279ad807a2a29b3d144732d
SHA1 00a8aec3ccc96e383364db832c198e76160037bd
SHA256 72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91
SHA512 25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a06e7aec2279ad807a2a29b3d144732d
SHA1 00a8aec3ccc96e383364db832c198e76160037bd
SHA256 72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91
SHA512 25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

memory/1356-240-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a06e7aec2279ad807a2a29b3d144732d
SHA1 00a8aec3ccc96e383364db832c198e76160037bd
SHA256 72de671b0551e1141b0b24e172da3828171908e084501a7d7d651ea9a8b3cd91
SHA512 25a41584437b89a0a5126bc11ab5d4e971efaf7be416b90b26596a4f6caf60c6083585a0e1b19a9e106a12f367c76fee72d7ab9cb75b6a35b2f860eb986e2e81

memory/1356-241-0x0000000002980000-0x0000000002A00000-memory.dmp

memory/2420-242-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

memory/2420-243-0x0000000002360000-0x00000000023E0000-memory.dmp

memory/2420-244-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

memory/1888-247-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

memory/1888-249-0x0000000002B90000-0x0000000002C10000-memory.dmp

memory/2420-253-0x0000000002360000-0x00000000023E0000-memory.dmp

memory/1624-254-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2420-255-0x0000000002360000-0x00000000023E0000-memory.dmp

memory/1356-252-0x0000000002980000-0x0000000002A00000-memory.dmp

memory/1888-256-0x0000000002B90000-0x0000000002C10000-memory.dmp

memory/3040-257-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

memory/3040-258-0x00000000027B0000-0x0000000002830000-memory.dmp

memory/3040-259-0x00000000027B0000-0x0000000002830000-memory.dmp

memory/3040-260-0x00000000027B0000-0x0000000002830000-memory.dmp

memory/3044-261-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/1624-262-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2420-263-0x0000000002360000-0x00000000023E0000-memory.dmp

memory/1888-264-0x0000000002B90000-0x0000000002C10000-memory.dmp

memory/1356-265-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

memory/1624-267-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

memory/1624-266-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/3044-268-0x000007FEEDDA0000-0x000007FEEE73D000-memory.dmp

memory/1356-269-0x0000000002984000-0x0000000002987000-memory.dmp

C:\Windows\TAPI\spoolsv.exe

MD5 85c563bbf1adc4274cfb479052de753f
SHA1 36ff2ef94abfea537615d076f78ac5b7ce0b248d
SHA256 4f27b889c2565391045fa158941cb47aef81bc16302a40c2c5ba3691739e3eb3
SHA512 b32f8b099981f1eb70d882376ec55c4fa5f613fe8565fe8f28ad538a742d551dfe2a3052450fd86f0994d79cb9611cf0b88f85baf844a5bc0753a387b227c26c

C:\Windows\TAPI\spoolsv.exe

MD5 85c563bbf1adc4274cfb479052de753f
SHA1 36ff2ef94abfea537615d076f78ac5b7ce0b248d
SHA256 4f27b889c2565391045fa158941cb47aef81bc16302a40c2c5ba3691739e3eb3
SHA512 b32f8b099981f1eb70d882376ec55c4fa5f613fe8565fe8f28ad538a742d551dfe2a3052450fd86f0994d79cb9611cf0b88f85baf844a5bc0753a387b227c26c

C:\Users\Admin\AppData\Local\Temp\79ed3703-1651-4abe-b12c-f7cf4ca16b17.vbs

MD5 29e0d61c00b8ac4e5be869beca893911
SHA1 ab82c984010088dce3bc8ed12c1edf0f443f2b93
SHA256 64cfbaf57ad520f87cf55eccf40f89353d8662b8ffe0563e3243b91c3c1942fd
SHA512 d057b1b341842afcc14b858020fbe74eb961e1f8f880fe146c029061f4192a4a47265cdc0e27c564da1fba8a77595faefeafcce8bbeba54f20222865cc406164

C:\Users\Admin\AppData\Local\Temp\3646c697-abdf-416e-8de6-61131759a7ef.vbs

MD5 45bbe9c11d10403d41b1cfe12b3fcca9
SHA1 4a1094953009584629bce888c7c2c72b09614afe
SHA256 e2197ca4ee4bbde5bd0fc952420e06014e0ff3b50c85e1c5941af1d01dc1f7f4
SHA512 b0e4a01e5ee17d77b2dc8bc22dd90f075d537b11ce283e66af0e996cd5e69c5473934da81b66042c7d6724b3a74dd415e17e0865d9164c7e8a19da76fafa458c

C:\Windows\TAPI\spoolsv.exe

MD5 85c563bbf1adc4274cfb479052de753f
SHA1 36ff2ef94abfea537615d076f78ac5b7ce0b248d
SHA256 4f27b889c2565391045fa158941cb47aef81bc16302a40c2c5ba3691739e3eb3
SHA512 b32f8b099981f1eb70d882376ec55c4fa5f613fe8565fe8f28ad538a742d551dfe2a3052450fd86f0994d79cb9611cf0b88f85baf844a5bc0753a387b227c26c

C:\Users\Admin\AppData\Local\Temp\d0b064419d4715d3a8942dde472a43bd928ae68c.exe

MD5 85c563bbf1adc4274cfb479052de753f
SHA1 36ff2ef94abfea537615d076f78ac5b7ce0b248d
SHA256 4f27b889c2565391045fa158941cb47aef81bc16302a40c2c5ba3691739e3eb3
SHA512 b32f8b099981f1eb70d882376ec55c4fa5f613fe8565fe8f28ad538a742d551dfe2a3052450fd86f0994d79cb9611cf0b88f85baf844a5bc0753a387b227c26c

C:\Users\Admin\AppData\Local\Temp\139d7c50-689c-408a-a21e-840dbe7afc86.vbs

MD5 45bbe9c11d10403d41b1cfe12b3fcca9
SHA1 4a1094953009584629bce888c7c2c72b09614afe
SHA256 e2197ca4ee4bbde5bd0fc952420e06014e0ff3b50c85e1c5941af1d01dc1f7f4
SHA512 b0e4a01e5ee17d77b2dc8bc22dd90f075d537b11ce283e66af0e996cd5e69c5473934da81b66042c7d6724b3a74dd415e17e0865d9164c7e8a19da76fafa458c

C:\Users\Admin\AppData\Local\Temp\71f4e2f8-be33-4044-94b0-367163e01f37.vbs

MD5 7ed33e1504bd9e8a33a546eff0583d24
SHA1 80b39149fbc6211a600a7938d60aecf28a732853
SHA256 d22742cd38603bd34ff2041601b3380e8f668a179d09409026fdb37165c6ff20
SHA512 d0c96737fc6652929f4f05f099e5b730ae3b1c966076b3b39f91fff226fa6f5461f4301214911736bf8825b38f7a15f21aa271b6f44f439c93aeeaab87f313aa

C:\Users\Admin\AppData\Local\Temp\139d7c50-689c-408a-a21e-840dbe7afc86.vbs

MD5 45bbe9c11d10403d41b1cfe12b3fcca9
SHA1 4a1094953009584629bce888c7c2c72b09614afe
SHA256 e2197ca4ee4bbde5bd0fc952420e06014e0ff3b50c85e1c5941af1d01dc1f7f4
SHA512 b0e4a01e5ee17d77b2dc8bc22dd90f075d537b11ce283e66af0e996cd5e69c5473934da81b66042c7d6724b3a74dd415e17e0865d9164c7e8a19da76fafa458c

C:\Windows\TAPI\spoolsv.exe

MD5 85c563bbf1adc4274cfb479052de753f
SHA1 36ff2ef94abfea537615d076f78ac5b7ce0b248d
SHA256 4f27b889c2565391045fa158941cb47aef81bc16302a40c2c5ba3691739e3eb3
SHA512 b32f8b099981f1eb70d882376ec55c4fa5f613fe8565fe8f28ad538a742d551dfe2a3052450fd86f0994d79cb9611cf0b88f85baf844a5bc0753a387b227c26c

C:\Users\Admin\AppData\Local\Temp\d0b064419d4715d3a8942dde472a43bd928ae68c.exe

MD5 85c563bbf1adc4274cfb479052de753f
SHA1 36ff2ef94abfea537615d076f78ac5b7ce0b248d
SHA256 4f27b889c2565391045fa158941cb47aef81bc16302a40c2c5ba3691739e3eb3
SHA512 b32f8b099981f1eb70d882376ec55c4fa5f613fe8565fe8f28ad538a742d551dfe2a3052450fd86f0994d79cb9611cf0b88f85baf844a5bc0753a387b227c26c

C:\Users\Admin\AppData\Local\Temp\9d46b765-2e98-4fc0-8ada-fa5da1670b9b.vbs

MD5 60ce163a25e1362bc96dc3bc307a3d61
SHA1 efded48e409104dad901b0f107e27cc893bc487d
SHA256 960d4c57d26dd9f4fe929b4a8e1cc10cf6d9711e385115c17691211d64e77d03
SHA512 2e522d880c92aaf1f176dd704e90c35da1ed74afd9bb6ffb25f63a6cf4b31674156e7adb38e2a303b96cbb7c9aa4f8ab8972416ca3957cc1eebd16268f0f9cbf

C:\Users\Admin\AppData\Local\Temp\8f2de0cc-e322-4e84-9387-7d98466202ad.vbs

MD5 45bbe9c11d10403d41b1cfe12b3fcca9
SHA1 4a1094953009584629bce888c7c2c72b09614afe
SHA256 e2197ca4ee4bbde5bd0fc952420e06014e0ff3b50c85e1c5941af1d01dc1f7f4
SHA512 b0e4a01e5ee17d77b2dc8bc22dd90f075d537b11ce283e66af0e996cd5e69c5473934da81b66042c7d6724b3a74dd415e17e0865d9164c7e8a19da76fafa458c

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-18 04:49

Reported

2023-11-18 04:53

Platform

win10v2004-20231023-en

Max time kernel

165s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\csrss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\WindowsRE\csrss.exe N/A
N/A N/A C:\Recovery\WindowsRE\csrss.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\csrss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\de-DE\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File created C:\Windows\de-DE\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File created C:\Windows\de-DE\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Windows\de-DE\RCX950B.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
File opened for modification C:\Windows\de-DE\RCX9CBD.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\Local Settings C:\Recovery\WindowsRE\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\Local Settings C:\Recovery\WindowsRE\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3596 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3596 wrote to memory of 5736 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Recovery\WindowsRE\csrss.exe
PID 3596 wrote to memory of 5736 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe C:\Recovery\WindowsRE\csrss.exe
PID 5736 wrote to memory of 5156 N/A C:\Recovery\WindowsRE\csrss.exe C:\Windows\System32\WScript.exe
PID 5736 wrote to memory of 5156 N/A C:\Recovery\WindowsRE\csrss.exe C:\Windows\System32\WScript.exe
PID 5736 wrote to memory of 5220 N/A C:\Recovery\WindowsRE\csrss.exe C:\Windows\System32\WScript.exe
PID 5736 wrote to memory of 5220 N/A C:\Recovery\WindowsRE\csrss.exe C:\Windows\System32\WScript.exe
PID 5156 wrote to memory of 5664 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\csrss.exe
PID 5156 wrote to memory of 5664 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\csrss.exe
PID 5664 wrote to memory of 3532 N/A C:\Recovery\WindowsRE\csrss.exe C:\Windows\System32\WScript.exe
PID 5664 wrote to memory of 3532 N/A C:\Recovery\WindowsRE\csrss.exe C:\Windows\System32\WScript.exe
PID 5664 wrote to memory of 5584 N/A C:\Recovery\WindowsRE\csrss.exe C:\Windows\System32\WScript.exe
PID 5664 wrote to memory of 5584 N/A C:\Recovery\WindowsRE\csrss.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\csrss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.54df88c3e72b8d4229f6bf6adabef9e0.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Recovery\WindowsRE\csrss.exe

"C:\Recovery\WindowsRE\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d8bcf71-f23d-4479-9ac7-b92664fc1657.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c81cdece-bd16-43c6-8ba7-2acc0a76a7c6.vbs"

C:\Recovery\WindowsRE\csrss.exe

C:\Recovery\WindowsRE\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\279a4862-757c-452d-aa5b-3eb7074d611a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83239a2d-94d9-466e-8e24-929a88e27bba.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 107.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 122.175.53.84.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp

Files

memory/3596-0-0x00000000006A0000-0x000000000080C000-memory.dmp

memory/3596-1-0x00007FF9B0660000-0x00007FF9B1121000-memory.dmp

memory/3596-2-0x0000000002990000-0x00000000029A0000-memory.dmp

memory/3596-3-0x00000000028D0000-0x00000000028DE000-memory.dmp

memory/3596-4-0x00000000028E0000-0x00000000028E8000-memory.dmp

memory/3596-5-0x00000000028F0000-0x000000000290C000-memory.dmp

memory/3596-6-0x000000001B4A0000-0x000000001B4F0000-memory.dmp

memory/3596-7-0x0000000002920000-0x0000000002928000-memory.dmp

memory/3596-8-0x0000000002930000-0x0000000002940000-memory.dmp

memory/3596-9-0x0000000002940000-0x0000000002956000-memory.dmp

memory/3596-10-0x0000000002960000-0x0000000002970000-memory.dmp

memory/3596-11-0x0000000002970000-0x000000000297A000-memory.dmp

memory/3596-12-0x0000000002980000-0x000000000298C000-memory.dmp

memory/3596-13-0x00000000029A0000-0x00000000029AC000-memory.dmp

memory/3596-14-0x00000000029B0000-0x00000000029B8000-memory.dmp

memory/3596-15-0x000000001B4F0000-0x000000001B4FC000-memory.dmp

memory/3596-16-0x000000001B500000-0x000000001B508000-memory.dmp

memory/3596-18-0x0000000002990000-0x00000000029A0000-memory.dmp

memory/3596-17-0x0000000002990000-0x00000000029A0000-memory.dmp

memory/3596-19-0x000000001BC60000-0x000000001BC6A000-memory.dmp

memory/3596-20-0x000000001BC70000-0x000000001BC7E000-memory.dmp

memory/3596-21-0x000000001BC80000-0x000000001BC88000-memory.dmp

memory/3596-22-0x000000001BC90000-0x000000001BC9E000-memory.dmp

memory/3596-23-0x000000001BCA0000-0x000000001BCAC000-memory.dmp

memory/3596-24-0x000000001BCB0000-0x000000001BCB8000-memory.dmp

memory/3596-25-0x000000001BCC0000-0x000000001BCCA000-memory.dmp

memory/3596-26-0x000000001BCD0000-0x000000001BCDC000-memory.dmp

memory/3596-29-0x0000000002990000-0x00000000029A0000-memory.dmp

memory/3596-30-0x0000000002990000-0x00000000029A0000-memory.dmp

memory/3596-33-0x00007FF9B0660000-0x00007FF9B1121000-memory.dmp

memory/3596-34-0x000000001C2A0000-0x000000001C3A0000-memory.dmp

memory/3596-35-0x0000000002990000-0x00000000029A0000-memory.dmp

memory/3596-36-0x000000001C2A0000-0x000000001C3A0000-memory.dmp

memory/3596-41-0x0000000002990000-0x00000000029A0000-memory.dmp

memory/3596-42-0x0000000002990000-0x00000000029A0000-memory.dmp

C:\Recovery\WindowsRE\csrss.exe

MD5 54df88c3e72b8d4229f6bf6adabef9e0
SHA1 c2c6ff9f9677cdeb3c88e81d97317977ca87e56e
SHA256 12bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5
SHA512 9c347e096251b7de0562633aaf0b36cb54e83c4ad3bac70fb77ed5c215034ba96674a23f0d532c318479f839e9320a1f5b75aa387371873edca3a3fecc22034d

memory/3596-60-0x0000000002990000-0x00000000029A0000-memory.dmp

memory/3596-70-0x0000000002990000-0x00000000029A0000-memory.dmp

memory/3596-72-0x000000001C2A0000-0x000000001C3A0000-memory.dmp

memory/4880-73-0x00007FF9B0660000-0x00007FF9B1121000-memory.dmp

memory/4880-74-0x0000024649130000-0x0000024649140000-memory.dmp

memory/4880-75-0x0000024649130000-0x0000024649140000-memory.dmp

memory/4832-77-0x0000012FEC510000-0x0000012FEC520000-memory.dmp

memory/3512-76-0x000001E954FD0000-0x000001E954FE0000-memory.dmp

memory/3108-78-0x00007FF9B0660000-0x00007FF9B1121000-memory.dmp

memory/3108-80-0x0000021189F70000-0x0000021189F80000-memory.dmp

memory/4756-81-0x00007FF9B0660000-0x00007FF9B1121000-memory.dmp

memory/4756-82-0x0000029D7F550000-0x0000029D7F560000-memory.dmp

memory/1372-83-0x00007FF9B0660000-0x00007FF9B1121000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xnho3g5y.rjo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3976-94-0x00007FF9B0660000-0x00007FF9B1121000-memory.dmp

memory/4756-109-0x0000029D7F320000-0x0000029D7F342000-memory.dmp

memory/3976-147-0x000001B040950000-0x000001B040960000-memory.dmp

memory/3976-174-0x000001B040950000-0x000001B040960000-memory.dmp

memory/488-243-0x00007FF9B0660000-0x00007FF9B1121000-memory.dmp

memory/8-244-0x00007FF9B0660000-0x00007FF9B1121000-memory.dmp

memory/8-246-0x0000023746470000-0x0000023746480000-memory.dmp

memory/488-247-0x0000020FA7310000-0x0000020FA7320000-memory.dmp

memory/488-245-0x0000020FA7310000-0x0000020FA7320000-memory.dmp

memory/5076-248-0x000002ADA12B0000-0x000002ADA12C0000-memory.dmp

memory/3512-249-0x00007FF9B0660000-0x00007FF9B1121000-memory.dmp

memory/4832-250-0x00007FF9B0660000-0x00007FF9B1121000-memory.dmp

C:\Recovery\WindowsRE\csrss.exe

MD5 54df88c3e72b8d4229f6bf6adabef9e0
SHA1 c2c6ff9f9677cdeb3c88e81d97317977ca87e56e
SHA256 12bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5
SHA512 9c347e096251b7de0562633aaf0b36cb54e83c4ad3bac70fb77ed5c215034ba96674a23f0d532c318479f839e9320a1f5b75aa387371873edca3a3fecc22034d

memory/1744-262-0x00007FF9B0660000-0x00007FF9B1121000-memory.dmp

C:\Recovery\WindowsRE\csrss.exe

MD5 54df88c3e72b8d4229f6bf6adabef9e0
SHA1 c2c6ff9f9677cdeb3c88e81d97317977ca87e56e
SHA256 12bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5
SHA512 9c347e096251b7de0562633aaf0b36cb54e83c4ad3bac70fb77ed5c215034ba96674a23f0d532c318479f839e9320a1f5b75aa387371873edca3a3fecc22034d

memory/1744-263-0x000001FA84670000-0x000001FA84680000-memory.dmp

memory/3596-264-0x00007FF9B0660000-0x00007FF9B1121000-memory.dmp

memory/5076-265-0x00007FF9B0660000-0x00007FF9B1121000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Temp\7d8bcf71-f23d-4479-9ac7-b92664fc1657.vbs

MD5 70b2a9f0a3dd55222e729bd70dbe5f6b
SHA1 7a979224dc14327c74cf7b4237b305e30bc2ddb8
SHA256 bc089e7e8dfdb88e340593412af9af3dad468c580169e677fd9877993892d251
SHA512 85a770e95cd03def2bb20aaa2abe0982db1cb746aa279eaec7c57acd13bcb67df44f889a6252238985e6a1809bdcc950a3c18f147b5ce9253a1d63e22f50a223

C:\Users\Admin\AppData\Local\Temp\c81cdece-bd16-43c6-8ba7-2acc0a76a7c6.vbs

MD5 1ebf7be841955424f63b671d01ee5ebe
SHA1 abe2236e60c57264fe2e90f2c14cc33b9bfc41a7
SHA256 bcf72b16678b1c05d772504f9558b546edb2938b433e6cf7068c3947e7758980
SHA512 99f433060575e67b452957a2e170be7c900cda8e827adb735ebdaf16163120e55622c84100ec19869b1344fab3270530c9e1eb032510598898974c75f52a4d76

C:\Recovery\WindowsRE\csrss.exe

MD5 54df88c3e72b8d4229f6bf6adabef9e0
SHA1 c2c6ff9f9677cdeb3c88e81d97317977ca87e56e
SHA256 12bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5
SHA512 9c347e096251b7de0562633aaf0b36cb54e83c4ad3bac70fb77ed5c215034ba96674a23f0d532c318479f839e9320a1f5b75aa387371873edca3a3fecc22034d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

MD5 9b0256da3bf9a5303141361b3da59823
SHA1 d73f34951777136c444eb2c98394f62912ebcdac
SHA256 96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA512 9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

C:\Users\Admin\AppData\Local\Temp\c88b212018e3d354cfac96b9cde4cd80ce2bf2dc.exe

MD5 54df88c3e72b8d4229f6bf6adabef9e0
SHA1 c2c6ff9f9677cdeb3c88e81d97317977ca87e56e
SHA256 12bcaa224d590750b33a90651d922fee72babd1d4f425ecb5f072f1679af21d5
SHA512 9c347e096251b7de0562633aaf0b36cb54e83c4ad3bac70fb77ed5c215034ba96674a23f0d532c318479f839e9320a1f5b75aa387371873edca3a3fecc22034d

C:\Users\Admin\AppData\Local\Temp\83239a2d-94d9-466e-8e24-929a88e27bba.vbs

MD5 1ebf7be841955424f63b671d01ee5ebe
SHA1 abe2236e60c57264fe2e90f2c14cc33b9bfc41a7
SHA256 bcf72b16678b1c05d772504f9558b546edb2938b433e6cf7068c3947e7758980
SHA512 99f433060575e67b452957a2e170be7c900cda8e827adb735ebdaf16163120e55622c84100ec19869b1344fab3270530c9e1eb032510598898974c75f52a4d76

C:\Users\Admin\AppData\Local\Temp\279a4862-757c-452d-aa5b-3eb7074d611a.vbs

MD5 05a28590680a059656a923a6b608b6a0
SHA1 77c73b5cba163ead23bafbfaa38601a129ece182
SHA256 6771f70265e565bb47630ae4561bda15faf30f662a7551c8d6cc9bfd073944a2
SHA512 545d27a02b5501581f98742f52942f27f3113ac2ec6a87c65d8282afbbfd294d26de5568abec6759bbd1026e66207bcad6a0895961d7f3b1bfb5afe5c1bb1804

C:\Users\Admin\AppData\Local\Temp\83239a2d-94d9-466e-8e24-929a88e27bba.vbs

MD5 1ebf7be841955424f63b671d01ee5ebe
SHA1 abe2236e60c57264fe2e90f2c14cc33b9bfc41a7
SHA256 bcf72b16678b1c05d772504f9558b546edb2938b433e6cf7068c3947e7758980
SHA512 99f433060575e67b452957a2e170be7c900cda8e827adb735ebdaf16163120e55622c84100ec19869b1344fab3270530c9e1eb032510598898974c75f52a4d76