Malware Analysis Report

2025-08-10 12:27

Sample ID 231119-calz7ahc5w
Target 4d7463d7f489ec7de6ebea288af19270.bin
SHA256 bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48

Threat Level: Known bad

The file 4d7463d7f489ec7de6ebea288af19270.bin was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

DCRat payload

UAC bypass

DcRat

Dcrat family

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-19 01:52

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-19 01:52

Reported

2023-11-19 01:55

Platform

win7-20231023-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\RCX5A7A.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\dllhost.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\RCX511E.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\RCX511F.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\RCX5A6A.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\dllhost.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\RCX5F10.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\RCX5F00.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\dllhost.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File created C:\Windows\Logs\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Windows\Logs\RCX5C7E.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Windows\Logs\RCX5CFC.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Windows\Logs\dllhost.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\cmd.exe
PID 2436 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\cmd.exe
PID 2436 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\cmd.exe
PID 2724 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2724 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2724 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2724 wrote to memory of 1172 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe
PID 2724 wrote to memory of 1172 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe
PID 2724 wrote to memory of 1172 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe
PID 1172 wrote to memory of 1676 N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WScript.exe
PID 1172 wrote to memory of 1676 N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WScript.exe
PID 1172 wrote to memory of 1676 N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WScript.exe
PID 1172 wrote to memory of 2764 N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WScript.exe
PID 1172 wrote to memory of 2764 N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WScript.exe
PID 1172 wrote to memory of 2764 N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WScript.exe
PID 1676 wrote to memory of 2524 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe
PID 1676 wrote to memory of 2524 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe
PID 1676 wrote to memory of 2524 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe
PID 2524 wrote to memory of 1756 N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WScript.exe
PID 2524 wrote to memory of 1756 N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WScript.exe
PID 2524 wrote to memory of 1756 N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WScript.exe
PID 2524 wrote to memory of 764 N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WScript.exe
PID 2524 wrote to memory of 764 N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WScript.exe
PID 2524 wrote to memory of 764 N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WScript.exe
PID 1756 wrote to memory of 1572 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe
PID 1756 wrote to memory of 1572 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe
PID 1756 wrote to memory of 1572 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe
PID 1572 wrote to memory of 2604 N/A C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe

"C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Logs\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "4d7463d7f489ec7de6ebea288af192704" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "4d7463d7f489ec7de6ebea288af19270" /sc ONLOGON /tr "'C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "4d7463d7f489ec7de6ebea288af192704" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f31kVUUl1u.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe

"C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68a2ce2c-80f1-4bcc-b2b4-8b0347871485.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fec35f8-72b2-46ac-90d3-91d28f27e6a9.vbs"

C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe

C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\272f4fd3-e6ab-4e1e-b488-17d73cd59533.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f833930-49d1-4544-bdda-2523dcd0b73a.vbs"

C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe

C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3721b736-858f-47ef-8287-f781ce35cc30.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9004547-1c5b-4349-a061-6cee60dbbce7.vbs"

Network

Country Destination Domain Proto
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp
UA 77.123.31.10:8080 tcp

Files

memory/2436-0-0x00000000001F0000-0x000000000035C000-memory.dmp

memory/2436-1-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

memory/2436-2-0x000000001B120000-0x000000001B1A0000-memory.dmp

memory/2436-3-0x0000000000420000-0x000000000042E000-memory.dmp

memory/2436-4-0x0000000000430000-0x0000000000438000-memory.dmp

memory/2436-5-0x0000000000650000-0x000000000066C000-memory.dmp

memory/2436-6-0x0000000000670000-0x0000000000678000-memory.dmp

memory/2436-7-0x0000000000680000-0x0000000000690000-memory.dmp

memory/2436-8-0x00000000008A0000-0x00000000008B6000-memory.dmp

memory/2436-9-0x00000000008C0000-0x00000000008D0000-memory.dmp

memory/2436-10-0x0000000000A70000-0x0000000000A7A000-memory.dmp

memory/2436-11-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

memory/2436-12-0x0000000002050000-0x000000000205C000-memory.dmp

memory/2436-13-0x0000000002060000-0x0000000002068000-memory.dmp

memory/2436-14-0x0000000002070000-0x000000000207C000-memory.dmp

memory/2436-15-0x0000000002090000-0x0000000002098000-memory.dmp

memory/2436-16-0x0000000002080000-0x000000000208A000-memory.dmp

memory/2436-17-0x00000000020A0000-0x00000000020AE000-memory.dmp

memory/2436-18-0x00000000020B0000-0x00000000020B8000-memory.dmp

memory/2436-19-0x00000000020C0000-0x00000000020CE000-memory.dmp

memory/2436-20-0x000000001B120000-0x000000001B1A0000-memory.dmp

memory/2436-21-0x00000000020D0000-0x00000000020DC000-memory.dmp

memory/2436-22-0x00000000020E0000-0x00000000020E8000-memory.dmp

memory/2436-23-0x00000000020F0000-0x00000000020FA000-memory.dmp

memory/2436-24-0x0000000002100000-0x000000000210C000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\dllhost.exe

MD5 4d7463d7f489ec7de6ebea288af19270
SHA1 3a350b9badebb0d9f31bf6472d6f5c69d246ef39
SHA256 bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
SHA512 1dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4

memory/2436-39-0x000000001B120000-0x000000001B1A0000-memory.dmp

memory/2436-43-0x000000001B120000-0x000000001B1A0000-memory.dmp

memory/2436-50-0x000000001B120000-0x000000001B1A0000-memory.dmp

C:\Users\Default\RCX55C5.tmp

MD5 66b67ed3faae4a63506a65bc0736f102
SHA1 f8fd3942fb901e5f0fba1e11ba974bb49d07631e
SHA256 e8f764ef4f7a6b171cfa9df9676a2b4d908ba224d9604a3957816c2b8d27d887
SHA512 9abf2f47a113b82009a7d10f3ba0a8ad93baa127466a8598c9f13ca512f89b14a44742fbdbd567cbc7057cf109dcfc2dd9ad685ec9c65bc1070fd6c10a7c41bd

C:\Windows\Logs\dllhost.exe

MD5 0f28a750e818c80bffea40c662214e99
SHA1 7972cda164a22b1017af1a4e213850789d92025c
SHA256 a56f488ea9fdf1d26b47bd7e8521b8f904dd1dd351b4efedae048fa523223c4b
SHA512 04380580bee7f59aac06846e1307a713331380af05bbfe7c718c91a29cdcd53217575117933ccb24c15a0e912cdd01cfa95d2744d7ae1e767f5e5902d70007e7

C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe

MD5 dc87758a301b810c1468844523b0f496
SHA1 044bf6b07e5e4dc8ff55ce2296d399bf39f219e2
SHA256 40c863b1ec6b7d852fd4061a55243f7fe821e0bd4e516a3060c8a9cd690bc46f
SHA512 0712fbc80b0e40186cb354bd9baec7c9632f979719d224b8c708878ab510cd8c9dd2b7643e9f793befab871cfd7b21da38510fe22a2f2d8b4b448e25c03ec893

memory/2436-141-0x000000001B120000-0x000000001B1A0000-memory.dmp

memory/1380-151-0x000000001B210000-0x000000001B4F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e5a639566f0edd6a8775106a0b9d4982
SHA1 863d46a775163709e1ed0a19d291ab89c6f13f5b
SHA256 7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237
SHA512 9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e5a639566f0edd6a8775106a0b9d4982
SHA1 863d46a775163709e1ed0a19d291ab89c6f13f5b
SHA256 7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237
SHA512 9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e5a639566f0edd6a8775106a0b9d4982
SHA1 863d46a775163709e1ed0a19d291ab89c6f13f5b
SHA256 7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237
SHA512 9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AZWAATKDQJ6LBKM6AS7X.temp

MD5 e5a639566f0edd6a8775106a0b9d4982
SHA1 863d46a775163709e1ed0a19d291ab89c6f13f5b
SHA256 7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237
SHA512 9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

memory/1380-166-0x00000000023D0000-0x00000000023D8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e5a639566f0edd6a8775106a0b9d4982
SHA1 863d46a775163709e1ed0a19d291ab89c6f13f5b
SHA256 7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237
SHA512 9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e5a639566f0edd6a8775106a0b9d4982
SHA1 863d46a775163709e1ed0a19d291ab89c6f13f5b
SHA256 7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237
SHA512 9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e5a639566f0edd6a8775106a0b9d4982
SHA1 863d46a775163709e1ed0a19d291ab89c6f13f5b
SHA256 7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237
SHA512 9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e5a639566f0edd6a8775106a0b9d4982
SHA1 863d46a775163709e1ed0a19d291ab89c6f13f5b
SHA256 7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237
SHA512 9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e5a639566f0edd6a8775106a0b9d4982
SHA1 863d46a775163709e1ed0a19d291ab89c6f13f5b
SHA256 7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237
SHA512 9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e5a639566f0edd6a8775106a0b9d4982
SHA1 863d46a775163709e1ed0a19d291ab89c6f13f5b
SHA256 7b0f41745a63daac17c1d57241a85372a3d8a7510909e1349a83fe03ccf51237
SHA512 9f81cbde2436b538779836bb3397394ea579bce4cb7f8655548466aac81e0391f91900b5a85c4b97b9ac13fedeb3d68e0dbad77630af9ed98bf281a237356af3

C:\Users\Admin\AppData\Local\Temp\f31kVUUl1u.bat

MD5 4796cc41b5bc8c9322c2b447cd6fb561
SHA1 13fe4b12e85d816f93da80fbfd2616b3f268a846
SHA256 7b2bdd40a9cb4781dbac117026cc0ab5cc59834d08a5627c50b88c42e60aaf61
SHA512 3a86d1cf1a42524724650e178b07c31ce6ce78dd39e6075ddbdedcf512418ffeb5a70c1b9f9a12571aafd2df25853b43f4b40b0c19d8bc4aceacc2a9d66ab103

memory/2436-206-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

memory/1380-207-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

memory/1380-208-0x0000000002510000-0x0000000002590000-memory.dmp

memory/1380-209-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

memory/1380-210-0x0000000002510000-0x0000000002590000-memory.dmp

memory/1380-211-0x0000000002510000-0x0000000002590000-memory.dmp

memory/1316-212-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

memory/1316-213-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/1316-214-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/1316-215-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/1316-216-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

memory/1316-217-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/560-218-0x00000000021E0000-0x0000000002260000-memory.dmp

memory/560-219-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

memory/2044-220-0x00000000024F0000-0x0000000002570000-memory.dmp

memory/560-221-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

memory/560-222-0x00000000021E0000-0x0000000002260000-memory.dmp

memory/2044-223-0x00000000024F0000-0x0000000002570000-memory.dmp

memory/1612-224-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

memory/1612-225-0x0000000001F40000-0x0000000001FC0000-memory.dmp

memory/1612-226-0x0000000001F40000-0x0000000001FC0000-memory.dmp

memory/1612-227-0x0000000001F40000-0x0000000001FC0000-memory.dmp

memory/1684-228-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

memory/1684-229-0x0000000002980000-0x0000000002A00000-memory.dmp

memory/1684-230-0x0000000002980000-0x0000000002A00000-memory.dmp

memory/1316-231-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

memory/1684-232-0x0000000002980000-0x0000000002A00000-memory.dmp

memory/1380-233-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

memory/1376-234-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/896-235-0x0000000002A90000-0x0000000002B10000-memory.dmp

C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe

MD5 dc87758a301b810c1468844523b0f496
SHA1 044bf6b07e5e4dc8ff55ce2296d399bf39f219e2
SHA256 40c863b1ec6b7d852fd4061a55243f7fe821e0bd4e516a3060c8a9cd690bc46f
SHA512 0712fbc80b0e40186cb354bd9baec7c9632f979719d224b8c708878ab510cd8c9dd2b7643e9f793befab871cfd7b21da38510fe22a2f2d8b4b448e25c03ec893

memory/1172-239-0x0000000000C90000-0x0000000000DFC000-memory.dmp

C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe

MD5 dc87758a301b810c1468844523b0f496
SHA1 044bf6b07e5e4dc8ff55ce2296d399bf39f219e2
SHA256 40c863b1ec6b7d852fd4061a55243f7fe821e0bd4e516a3060c8a9cd690bc46f
SHA512 0712fbc80b0e40186cb354bd9baec7c9632f979719d224b8c708878ab510cd8c9dd2b7643e9f793befab871cfd7b21da38510fe22a2f2d8b4b448e25c03ec893

memory/1820-236-0x000007FEEDC40000-0x000007FEEE5DD000-memory.dmp

memory/1820-240-0x0000000002B40000-0x0000000002BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\68a2ce2c-80f1-4bcc-b2b4-8b0347871485.vbs

MD5 d413d3a50c7d48f7390efa10b5b68a12
SHA1 459bb4553e4ca0b6cd8ccf9ba482b8a3a2a3b8b8
SHA256 befc1ded0950b7ce11a33813b94cfacc3e8d3c3881da4785432580b2645f1ebb
SHA512 39476963f4e77ceb5b4fc789b132fcf0abfdd2224ec35674b37980b826c7867af1b439ffcaf0e0c49499d0afb9ddabf52e91365ed446f1e80c05e237fd06999e

C:\Users\Admin\AppData\Local\Temp\9fec35f8-72b2-46ac-90d3-91d28f27e6a9.vbs

MD5 4803bb1ce2b631410289d974217310dc
SHA1 7bf6cc995fbb92597cff6f6720dd56fa16dca5cc
SHA256 637bab380d35d7486134b5004105975b017793ac5b36545f0fbfba88bf1fbf06
SHA512 8288005b9f15538a71e2260c42b24b6d282df5459710f29eab3aefb84f6f43ae6d3626370b56412a3d830bada4cc413fd868d6ee26984c668ccca78d06858184

C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe

MD5 dc87758a301b810c1468844523b0f496
SHA1 044bf6b07e5e4dc8ff55ce2296d399bf39f219e2
SHA256 40c863b1ec6b7d852fd4061a55243f7fe821e0bd4e516a3060c8a9cd690bc46f
SHA512 0712fbc80b0e40186cb354bd9baec7c9632f979719d224b8c708878ab510cd8c9dd2b7643e9f793befab871cfd7b21da38510fe22a2f2d8b4b448e25c03ec893

C:\Users\Admin\AppData\Local\Temp\0198774ecd329d5f7bf22f368d795edb26c4bff9.exe

MD5 dc87758a301b810c1468844523b0f496
SHA1 044bf6b07e5e4dc8ff55ce2296d399bf39f219e2
SHA256 40c863b1ec6b7d852fd4061a55243f7fe821e0bd4e516a3060c8a9cd690bc46f
SHA512 0712fbc80b0e40186cb354bd9baec7c9632f979719d224b8c708878ab510cd8c9dd2b7643e9f793befab871cfd7b21da38510fe22a2f2d8b4b448e25c03ec893

C:\Users\Admin\AppData\Local\Temp\9f833930-49d1-4544-bdda-2523dcd0b73a.vbs

MD5 4803bb1ce2b631410289d974217310dc
SHA1 7bf6cc995fbb92597cff6f6720dd56fa16dca5cc
SHA256 637bab380d35d7486134b5004105975b017793ac5b36545f0fbfba88bf1fbf06
SHA512 8288005b9f15538a71e2260c42b24b6d282df5459710f29eab3aefb84f6f43ae6d3626370b56412a3d830bada4cc413fd868d6ee26984c668ccca78d06858184

C:\Users\Admin\AppData\Local\Temp\272f4fd3-e6ab-4e1e-b488-17d73cd59533.vbs

MD5 99111039ff5e5e7b6949b1a885f3e9f7
SHA1 cc403a5600a2f9213a8849fdadbadc586de5c09a
SHA256 107b5e02f467a0ec637fd4b8f12d4806335b44f2706bc5d45b4c0d50687cbf09
SHA512 07635539f3faef86f56e81995340b4ace65e2d69e0502b02d1394dd6520234aebc58eac0c10989cf979b13ac3ab8c1783307fdf018022b883a5edd613cc65e07

C:\Users\Admin\AppData\Local\Temp\9f833930-49d1-4544-bdda-2523dcd0b73a.vbs

MD5 4803bb1ce2b631410289d974217310dc
SHA1 7bf6cc995fbb92597cff6f6720dd56fa16dca5cc
SHA256 637bab380d35d7486134b5004105975b017793ac5b36545f0fbfba88bf1fbf06
SHA512 8288005b9f15538a71e2260c42b24b6d282df5459710f29eab3aefb84f6f43ae6d3626370b56412a3d830bada4cc413fd868d6ee26984c668ccca78d06858184

C:\Users\Admin\Music\4d7463d7f489ec7de6ebea288af19270.exe

MD5 dc87758a301b810c1468844523b0f496
SHA1 044bf6b07e5e4dc8ff55ce2296d399bf39f219e2
SHA256 40c863b1ec6b7d852fd4061a55243f7fe821e0bd4e516a3060c8a9cd690bc46f
SHA512 0712fbc80b0e40186cb354bd9baec7c9632f979719d224b8c708878ab510cd8c9dd2b7643e9f793befab871cfd7b21da38510fe22a2f2d8b4b448e25c03ec893

C:\Users\Admin\AppData\Local\Temp\0198774ecd329d5f7bf22f368d795edb26c4bff9.exe

MD5 dc87758a301b810c1468844523b0f496
SHA1 044bf6b07e5e4dc8ff55ce2296d399bf39f219e2
SHA256 40c863b1ec6b7d852fd4061a55243f7fe821e0bd4e516a3060c8a9cd690bc46f
SHA512 0712fbc80b0e40186cb354bd9baec7c9632f979719d224b8c708878ab510cd8c9dd2b7643e9f793befab871cfd7b21da38510fe22a2f2d8b4b448e25c03ec893

C:\Users\Admin\AppData\Local\Temp\3721b736-858f-47ef-8287-f781ce35cc30.vbs

MD5 dfec2f28197e955fd9fdd14080f180a4
SHA1 b5a2485b8871594fdbb6953a95da02c55b8d725d
SHA256 0fe02e8c56815c109aaa01a969ae6e8d673fe344ca1bdf862266bcd484342930
SHA512 35976011682c5ccd8b0e6d4061785a25d6270f37c78e748554269d95de1d8d4341241c46d84b0dde6527660f3bc61c16f4086496b54f423061b409230549ffd7

C:\Users\Admin\AppData\Local\Temp\b9004547-1c5b-4349-a061-6cee60dbbce7.vbs

MD5 4803bb1ce2b631410289d974217310dc
SHA1 7bf6cc995fbb92597cff6f6720dd56fa16dca5cc
SHA256 637bab380d35d7486134b5004105975b017793ac5b36545f0fbfba88bf1fbf06
SHA512 8288005b9f15538a71e2260c42b24b6d282df5459710f29eab3aefb84f6f43ae6d3626370b56412a3d830bada4cc413fd868d6ee26984c668ccca78d06858184

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-19 01:52

Reported

2023-11-19 01:55

Platform

win10v2004-20231020-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Defender\de-DE\wininit.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Defender\de-DE\RCXA9FF.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\RCXB0DB.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\amd64\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files\Windows Defender\de-DE\wininit.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\RCXB0EC.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXB300.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files\Windows Defender\de-DE\RCXAA10.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXB311.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File created C:\Program Files\Windows Defender\de-DE\wininit.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File created C:\Program Files\Windows Defender\de-DE\56085415360792 C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\amd64\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Windows\addins\RCXA7DC.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\RCXAE49.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\RCXAE5A.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File created C:\Windows\addins\sihost.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Windows\addins\sihost.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File created C:\Windows\addins\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Windows\addins\RCXA7DB.tmp C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
File opened for modification C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings C:\Program Files\Windows Defender\de-DE\wininit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Defender\de-DE\wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 5508 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Program Files\Windows Defender\de-DE\wininit.exe
PID 4960 wrote to memory of 5508 N/A C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe C:\Program Files\Windows Defender\de-DE\wininit.exe
PID 5508 wrote to memory of 5280 N/A C:\Program Files\Windows Defender\de-DE\wininit.exe C:\Windows\System32\WScript.exe
PID 5508 wrote to memory of 5280 N/A C:\Program Files\Windows Defender\de-DE\wininit.exe C:\Windows\System32\WScript.exe
PID 5508 wrote to memory of 5352 N/A C:\Program Files\Windows Defender\de-DE\wininit.exe C:\Windows\System32\WScript.exe
PID 5508 wrote to memory of 5352 N/A C:\Program Files\Windows Defender\de-DE\wininit.exe C:\Windows\System32\WScript.exe
PID 5280 wrote to memory of 260 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Defender\de-DE\wininit.exe
PID 5280 wrote to memory of 260 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Defender\de-DE\wininit.exe
PID 260 wrote to memory of 2372 N/A C:\Program Files\Windows Defender\de-DE\wininit.exe C:\Windows\System32\WScript.exe
PID 260 wrote to memory of 2372 N/A C:\Program Files\Windows Defender\de-DE\wininit.exe C:\Windows\System32\WScript.exe
PID 260 wrote to memory of 5488 N/A C:\Program Files\Windows Defender\de-DE\wininit.exe C:\Windows\System32\WScript.exe
PID 260 wrote to memory of 5488 N/A C:\Program Files\Windows Defender\de-DE\wininit.exe C:\Windows\System32\WScript.exe
PID 2372 wrote to memory of 4732 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Defender\de-DE\wininit.exe
PID 2372 wrote to memory of 4732 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Defender\de-DE\wininit.exe
PID 4732 wrote to memory of 3352 N/A C:\Program Files\Windows Defender\de-DE\wininit.exe C:\Windows\System32\WScript.exe
PID 4732 wrote to memory of 3352 N/A C:\Program Files\Windows Defender\de-DE\wininit.exe C:\Windows\System32\WScript.exe
PID 4732 wrote to memory of 2232 N/A C:\Program Files\Windows Defender\de-DE\wininit.exe C:\Windows\System32\WScript.exe
PID 4732 wrote to memory of 2232 N/A C:\Program Files\Windows Defender\de-DE\wininit.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Defender\de-DE\wininit.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe

"C:\Users\Admin\AppData\Local\Temp\4d7463d7f489ec7de6ebea288af19270.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\addins\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\de-DE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\de-DE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\amd64\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre-1.8\lib\amd64\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre-1.8\lib\amd64\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'

C:\Program Files\Windows Defender\de-DE\wininit.exe

"C:\Program Files\Windows Defender\de-DE\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2f59dd7-6169-4f69-ab51-594b56de6c90.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4cd69a9-5812-452d-94aa-8ab1c37c6641.vbs"

C:\Program Files\Windows Defender\de-DE\wininit.exe

"C:\Program Files\Windows Defender\de-DE\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa66a7cb-65d8-40cf-bb40-fa150af96a5d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c53138e1-5f69-4375-8358-2d4ac4715a7f.vbs"

C:\Program Files\Windows Defender\de-DE\wininit.exe

"C:\Program Files\Windows Defender\de-DE\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9569fd1d-c2f0-4ba0-8992-74693b793316.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac686863-9ccc-4589-95bb-f22e8fffe1d9.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 122.175.53.84.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 122.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
UA 77.123.31.10:8080 tcp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
UA 77.123.31.10:8080 tcp

Files

memory/4960-0-0x0000000000E60000-0x0000000000FCC000-memory.dmp

memory/4960-1-0x00007FFD901B0000-0x00007FFD90C71000-memory.dmp

memory/4960-2-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

memory/4960-3-0x00000000018F0000-0x00000000018FE000-memory.dmp

memory/4960-4-0x0000000001910000-0x0000000001918000-memory.dmp

memory/4960-5-0x000000001BBA0000-0x000000001BBBC000-memory.dmp

memory/4960-6-0x000000001C180000-0x000000001C1D0000-memory.dmp

memory/4960-7-0x000000001BBC0000-0x000000001BBC8000-memory.dmp

memory/4960-8-0x000000001C130000-0x000000001C140000-memory.dmp

memory/4960-9-0x000000001C140000-0x000000001C156000-memory.dmp

memory/4960-10-0x000000001C160000-0x000000001C170000-memory.dmp

memory/4960-11-0x000000001C170000-0x000000001C17A000-memory.dmp

memory/4960-12-0x000000001C1D0000-0x000000001C1DC000-memory.dmp

memory/4960-13-0x000000001C1E0000-0x000000001C1EC000-memory.dmp

memory/4960-14-0x000000001C1F0000-0x000000001C1F8000-memory.dmp

memory/4960-15-0x000000001C200000-0x000000001C20C000-memory.dmp

memory/4960-16-0x000000001C310000-0x000000001C318000-memory.dmp

memory/4960-18-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

memory/4960-19-0x000000001C370000-0x000000001C37E000-memory.dmp

memory/4960-20-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

memory/4960-17-0x000000001C360000-0x000000001C36A000-memory.dmp

memory/4960-21-0x000000001C380000-0x000000001C388000-memory.dmp

memory/4960-22-0x000000001C390000-0x000000001C39E000-memory.dmp

memory/4960-23-0x000000001C3A0000-0x000000001C3AC000-memory.dmp

memory/4960-24-0x000000001C3B0000-0x000000001C3B8000-memory.dmp

memory/4960-25-0x000000001C3C0000-0x000000001C3CA000-memory.dmp

memory/4960-26-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

memory/4960-31-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

C:\Program Files\Java\jre-1.8\lib\amd64\TextInputHost.exe

MD5 4d7463d7f489ec7de6ebea288af19270
SHA1 3a350b9badebb0d9f31bf6472d6f5c69d246ef39
SHA256 bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
SHA512 1dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4

memory/4960-58-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

memory/4960-94-0x000000001CB70000-0x000000001CC70000-memory.dmp

memory/3532-167-0x00007FFD901B0000-0x00007FFD90C71000-memory.dmp

memory/1612-168-0x00007FFD901B0000-0x00007FFD90C71000-memory.dmp

memory/1612-170-0x00000277ED6C0000-0x00000277ED6D0000-memory.dmp

memory/3532-169-0x000001E258A40000-0x000001E258A50000-memory.dmp

memory/3532-171-0x000001E258A40000-0x000001E258A50000-memory.dmp

memory/3924-177-0x00000177D6D20000-0x00000177D6D42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yowojx30.aj4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4556-196-0x00007FFD901B0000-0x00007FFD90C71000-memory.dmp

memory/4556-197-0x000001D0268D0000-0x000001D0268E0000-memory.dmp

memory/1048-247-0x00007FFD901B0000-0x00007FFD90C71000-memory.dmp

memory/3036-283-0x00007FFD901B0000-0x00007FFD90C71000-memory.dmp

C:\Program Files\Windows Defender\de-DE\wininit.exe

MD5 4d7463d7f489ec7de6ebea288af19270
SHA1 3a350b9badebb0d9f31bf6472d6f5c69d246ef39
SHA256 bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
SHA512 1dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4

C:\Program Files\Windows Defender\de-DE\wininit.exe

MD5 4d7463d7f489ec7de6ebea288af19270
SHA1 3a350b9badebb0d9f31bf6472d6f5c69d246ef39
SHA256 bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
SHA512 1dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4

memory/3924-297-0x00000177D6D80000-0x00000177D6D90000-memory.dmp

memory/3036-298-0x000002AE005C0000-0x000002AE005D0000-memory.dmp

memory/3924-300-0x00000177D6D80000-0x00000177D6D90000-memory.dmp

memory/4960-299-0x00007FFD901B0000-0x00007FFD90C71000-memory.dmp

memory/3924-296-0x00007FFD901B0000-0x00007FFD90C71000-memory.dmp

memory/4668-301-0x00007FFD901B0000-0x00007FFD90C71000-memory.dmp

memory/4668-302-0x000002106A310000-0x000002106A320000-memory.dmp

memory/3328-303-0x00007FFD901B0000-0x00007FFD90C71000-memory.dmp

memory/3328-304-0x0000020D26380000-0x0000020D26390000-memory.dmp

memory/3756-305-0x00007FFD901B0000-0x00007FFD90C71000-memory.dmp

memory/3756-306-0x00000278783A0000-0x00000278783B0000-memory.dmp

memory/3756-307-0x00000278783A0000-0x00000278783B0000-memory.dmp

memory/8-309-0x000001BEF3250000-0x000001BEF3260000-memory.dmp

memory/8-308-0x000001BEF3250000-0x000001BEF3260000-memory.dmp

memory/5028-310-0x00007FFD901B0000-0x00007FFD90C71000-memory.dmp

memory/1796-311-0x00007FFD901B0000-0x00007FFD90C71000-memory.dmp

memory/8-312-0x00007FFD901B0000-0x00007FFD90C71000-memory.dmp

memory/5508-313-0x00007FFD901B0000-0x00007FFD90C71000-memory.dmp

memory/3532-314-0x000001E258A40000-0x000001E258A50000-memory.dmp

memory/3924-315-0x00000177D6D80000-0x00000177D6D90000-memory.dmp

memory/4668-316-0x000002106A310000-0x000002106A320000-memory.dmp

memory/4556-317-0x000001D0268D0000-0x000001D0268E0000-memory.dmp

memory/1612-318-0x00000277ED6C0000-0x00000277ED6D0000-memory.dmp

memory/3036-319-0x000002AE005C0000-0x000002AE005D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f2f59dd7-6169-4f69-ab51-594b56de6c90.vbs

MD5 7e8902373b0c660cf40ec7bcc10cdb55
SHA1 333d210325e3610c6075419ccdf683c7a3f279b0
SHA256 be60f1eb8f02c9a387551a7415978136ef6ec5cfefc77aa77b77c92ea0310504
SHA512 eb52e00854232eb3df5c28d76184dee692e3f4f20f011d24cf8956d4a307f9af9d73ac25417d52137a23ac45fd7c885c311f7fb322007d8461418243cc0120d0

C:\Users\Admin\AppData\Local\Temp\b4cd69a9-5812-452d-94aa-8ab1c37c6641.vbs

MD5 c102e36fa34d16b1f27b0ac168f08a06
SHA1 ec81d51e780575d8ddcd7850117b7f49bef6522e
SHA256 720a20170ed0167caceffce8b4db82625a02b39a6dbc8bd3e9bf996945552fb3
SHA512 039be8557f80aeb05d898315db6d38ab9ae2f3eda358c74c5ecccac1d7b4c3ad11c67a79cdc76a5ff9934c4f98d784393b128ea0926675a922986b236c2ba9b6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 101c3b86ef1c02c62b7d862c2a47363b
SHA1 3c5e8d309610e5ba41b6b9788bfb826e45864b46
SHA256 9174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c
SHA512 d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d6536c16bcf5366ce342a8acf882fa54
SHA1 3cdbc184d2d5b7390741c131e37470f43c06fb50
SHA256 9feb7f3f57d6121d1afd6701d5661a62b8cd793ce61bbd8e8057e481e159a3de
SHA512 27a193f45e9ae767767ad2108d05aa7ea6ed13b321e36966cccc2603052a4921f8b2250e381b544550d0bbcf3edd7401d261b13b1c49e9192d9cd2fae9b04808

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8ce785f8ccc6d202d56fefc59764945
SHA1 ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256 d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA512 66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17fbfbe3f04595e251287a6bfcdc35de
SHA1 b576aabfd5e6d5799d487011506ed1ae70688987
SHA256 2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512 449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9611cc3fb39fedd4b0e81d90b044531c
SHA1 e35c10c1c1e29d44222114e0f72d58b3072880fd
SHA256 2090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec
SHA512 92cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9611cc3fb39fedd4b0e81d90b044531c
SHA1 e35c10c1c1e29d44222114e0f72d58b3072880fd
SHA256 2090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec
SHA512 92cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9611cc3fb39fedd4b0e81d90b044531c
SHA1 e35c10c1c1e29d44222114e0f72d58b3072880fd
SHA256 2090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec
SHA512 92cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9611cc3fb39fedd4b0e81d90b044531c
SHA1 e35c10c1c1e29d44222114e0f72d58b3072880fd
SHA256 2090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec
SHA512 92cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8ce785f8ccc6d202d56fefc59764945
SHA1 ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256 d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA512 66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 101c3b86ef1c02c62b7d862c2a47363b
SHA1 3c5e8d309610e5ba41b6b9788bfb826e45864b46
SHA256 9174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c
SHA512 d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60

C:\Program Files\Windows Defender\de-DE\wininit.exe

MD5 4d7463d7f489ec7de6ebea288af19270
SHA1 3a350b9badebb0d9f31bf6472d6f5c69d246ef39
SHA256 bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
SHA512 1dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

MD5 9b0256da3bf9a5303141361b3da59823
SHA1 d73f34951777136c444eb2c98394f62912ebcdac
SHA256 96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA512 9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

C:\Users\Admin\AppData\Local\Temp\ab41a0df16d92f4034711e456d4c313a7ac7a831.exe

MD5 4d7463d7f489ec7de6ebea288af19270
SHA1 3a350b9badebb0d9f31bf6472d6f5c69d246ef39
SHA256 bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
SHA512 1dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4

C:\Users\Admin\AppData\Local\Temp\c53138e1-5f69-4375-8358-2d4ac4715a7f.vbs

MD5 c102e36fa34d16b1f27b0ac168f08a06
SHA1 ec81d51e780575d8ddcd7850117b7f49bef6522e
SHA256 720a20170ed0167caceffce8b4db82625a02b39a6dbc8bd3e9bf996945552fb3
SHA512 039be8557f80aeb05d898315db6d38ab9ae2f3eda358c74c5ecccac1d7b4c3ad11c67a79cdc76a5ff9934c4f98d784393b128ea0926675a922986b236c2ba9b6

C:\Users\Admin\AppData\Local\Temp\c53138e1-5f69-4375-8358-2d4ac4715a7f.vbs

MD5 c102e36fa34d16b1f27b0ac168f08a06
SHA1 ec81d51e780575d8ddcd7850117b7f49bef6522e
SHA256 720a20170ed0167caceffce8b4db82625a02b39a6dbc8bd3e9bf996945552fb3
SHA512 039be8557f80aeb05d898315db6d38ab9ae2f3eda358c74c5ecccac1d7b4c3ad11c67a79cdc76a5ff9934c4f98d784393b128ea0926675a922986b236c2ba9b6

C:\Users\Admin\AppData\Local\Temp\aa66a7cb-65d8-40cf-bb40-fa150af96a5d.vbs

MD5 d401d2959f55f79492d360e59e242db1
SHA1 e6256ce183b6b1f510810ee41eff0fa095a73440
SHA256 33817e9fbb2b5209270ea07401c41685cd939a006471f7b3926b0cd05c563b58
SHA512 b9ad583fe3212ab8c0259494887afa20f0de716da39108da87de47bc78bfcae05fa2f486b849d9da627ab35d01c0e981228a934679de6bf299acb1cfb4a694ba

C:\Program Files\Windows Defender\de-DE\wininit.exe

MD5 4d7463d7f489ec7de6ebea288af19270
SHA1 3a350b9badebb0d9f31bf6472d6f5c69d246ef39
SHA256 bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
SHA512 1dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4

C:\Users\Admin\AppData\Local\Temp\ab41a0df16d92f4034711e456d4c313a7ac7a831.exe

MD5 4d7463d7f489ec7de6ebea288af19270
SHA1 3a350b9badebb0d9f31bf6472d6f5c69d246ef39
SHA256 bf5bf5a95a275819c1630814b9333fe1fe19d973ecb498de8c56938fa21bfb48
SHA512 1dbc0a0de6fba1461383bcae6bbaece31684f395dd944a5c0b55a071180532772cf23d9b887be7b77e2baa447d54fcead93711709106baca58066d2d5604c6e4

C:\Users\Admin\AppData\Local\Temp\9569fd1d-c2f0-4ba0-8992-74693b793316.vbs

MD5 e9d3189dd9b2c8851a0cbd9fdf41f8be
SHA1 1f143a7e1722b97c73bafa3dcf25b0ffc8cb7100
SHA256 cb1d310b730b3c837071ffb0e3562acc7f8c9d4202bc376a15813a02ed899ba1
SHA512 733c6957ed04218f58a5068ef4d2bf1415cbadf53b8f0e8825dec02909b869c6487289f84c1c3ce49034a2cd334c62f82fb888da4ffd2b389e674d358bc1cbd8

C:\Users\Admin\AppData\Local\Temp\ac686863-9ccc-4589-95bb-f22e8fffe1d9.vbs

MD5 c102e36fa34d16b1f27b0ac168f08a06
SHA1 ec81d51e780575d8ddcd7850117b7f49bef6522e
SHA256 720a20170ed0167caceffce8b4db82625a02b39a6dbc8bd3e9bf996945552fb3
SHA512 039be8557f80aeb05d898315db6d38ab9ae2f3eda358c74c5ecccac1d7b4c3ad11c67a79cdc76a5ff9934c4f98d784393b128ea0926675a922986b236c2ba9b6