Malware Analysis Report

2025-08-06 00:36

Sample ID 231207-anb12ahha5
Target 20ec8d347f674ebadc53399ef6aa49cb.exe
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
Tags
rat dcrat evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f

Threat Level: Known bad

The file 20ec8d347f674ebadc53399ef6aa49cb.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer persistence trojan

Modifies WinLogon for persistence

DcRat

Dcrat family

Process spawned unexpected child process

DCRat payload

UAC bypass

DCRat payload

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-07 00:21

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 00:21

Reported

2023-12-07 00:23

Platform

win7-20231129-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\de-DE\101b941d020240 C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Windows\\Setup\\State\\audiodg.exe\", \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Windows\\Setup\\State\\audiodg.exe\", \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Windows\\Media\\Quirky\\20ec8d347f674ebadc53399ef6aa49cb.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Windows\\Setup\\State\\audiodg.exe\", \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Windows\\Media\\Quirky\\20ec8d347f674ebadc53399ef6aa49cb.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Windows\\Setup\\State\\audiodg.exe\", \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Windows\\Media\\Quirky\\20ec8d347f674ebadc53399ef6aa49cb.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Windows\\Setup\\State\\audiodg.exe\", \"C:\\Windows\\it-IT\\System.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Windows\\Media\\Quirky\\20ec8d347f674ebadc53399ef6aa49cb.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\lsm.exe\", \"C:\\Windows\\debug\\WIA\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Windows\\Setup\\State\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Windows\\Setup\\State\\audiodg.exe\", \"C:\\Windows\\it-IT\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\it-IT\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\ServiceProfiles\\LocalService\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\20ec8d347f674ebadc53399ef6aa49cb = "\"C:\\Windows\\Media\\Quirky\\20ec8d347f674ebadc53399ef6aa49cb.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\Setup\\State\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\it-IT\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\ServiceProfiles\\LocalService\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\debug\\WIA\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\Setup\\State\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20ec8d347f674ebadc53399ef6aa49cb = "\"C:\\Windows\\Media\\Quirky\\20ec8d347f674ebadc53399ef6aa49cb.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\debug\\WIA\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\de-DE\101b941d020240 C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\csrss.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\it-IT\System.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Windows\it-IT\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Windows\Media\Quirky\efb053bab4605e C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\csrss.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Windows\debug\WIA\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Windows\Setup\State\audiodg.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Windows\Setup\State\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Windows\Media\Quirky\20ec8d347f674ebadc53399ef6aa49cb.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Windows\debug\WIA\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe C:\Windows\System32\cmd.exe
PID 3024 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe C:\Windows\System32\cmd.exe
PID 3024 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe C:\Windows\System32\cmd.exe
PID 828 wrote to memory of 2400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 828 wrote to memory of 2400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 828 wrote to memory of 2400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 828 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 828 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 828 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 1512 wrote to memory of 3000 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 1512 wrote to memory of 3000 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 1512 wrote to memory of 3000 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 1512 wrote to memory of 2852 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 1512 wrote to memory of 2852 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 1512 wrote to memory of 2852 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 3000 wrote to memory of 3012 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 3000 wrote to memory of 3012 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 3000 wrote to memory of 3012 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 3012 wrote to memory of 1616 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 3012 wrote to memory of 1616 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 3012 wrote to memory of 1616 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 3012 wrote to memory of 2616 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 3012 wrote to memory of 2616 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 3012 wrote to memory of 2616 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 1616 wrote to memory of 2600 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 1616 wrote to memory of 2600 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 1616 wrote to memory of 2600 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 2600 wrote to memory of 2552 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2600 wrote to memory of 2552 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2600 wrote to memory of 2552 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2600 wrote to memory of 1072 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2600 wrote to memory of 1072 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2600 wrote to memory of 1072 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2552 wrote to memory of 2856 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 2552 wrote to memory of 2856 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 2552 wrote to memory of 2856 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 2856 wrote to memory of 584 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2856 wrote to memory of 584 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2856 wrote to memory of 584 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2856 wrote to memory of 904 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2856 wrote to memory of 904 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2856 wrote to memory of 904 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 584 wrote to memory of 680 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 584 wrote to memory of 680 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 584 wrote to memory of 680 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 680 wrote to memory of 848 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 680 wrote to memory of 848 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 680 wrote to memory of 848 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 680 wrote to memory of 1536 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 680 wrote to memory of 1536 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 680 wrote to memory of 1536 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 848 wrote to memory of 2860 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 848 wrote to memory of 2860 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 848 wrote to memory of 2860 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 2860 wrote to memory of 2456 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2860 wrote to memory of 2456 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2860 wrote to memory of 2456 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2860 wrote to memory of 2712 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2860 wrote to memory of 2712 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2860 wrote to memory of 2712 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe
PID 2456 wrote to memory of 1804 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 2456 wrote to memory of 1804 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 2456 wrote to memory of 1804 N/A C:\Windows\System32\WScript.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe
PID 1804 wrote to memory of 2104 N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe

"C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Setup\State\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "20ec8d347f674ebadc53399ef6aa49cb2" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Quirky\20ec8d347f674ebadc53399ef6aa49cb.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "20ec8d347f674ebadc53399ef6aa49cb" /sc ONLOGON /tr "'C:\Windows\Media\Quirky\20ec8d347f674ebadc53399ef6aa49cb.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "20ec8d347f674ebadc53399ef6aa49cb2" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Quirky\20ec8d347f674ebadc53399ef6aa49cb.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\LocalService\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\LocalService\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\WIA\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6duSsQqWjw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

"C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41bd7273-2680-4f7c-aecc-d77a0b6c30fa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7920eb4f-cf22-4b66-a82b-19ad5ed510fa.vbs"

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67bf951a-fd49-4fe8-88da-62ad79b45680.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32074192-775f-4aa9-ae35-b7a842be07ed.vbs"

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46535dec-4736-494f-9c64-c2c0add82f7d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e43a469b-893c-417d-8ab7-4f7bf027ec9b.vbs"

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3544b973-88a7-4a99-a6c8-98ea7fa12259.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c45932db-425b-48ca-9063-ad2734cf808c.vbs"

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c0b2dcb-6e82-4d0b-89a2-a0951f2de7f2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d86c347e-9dad-4cd7-ac18-51ea8ce513f9.vbs"

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c334203c-f3a8-49b0-bd6b-7b0ca72b947b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f9d0660-ddb6-4918-8caa-57331b96e6bb.vbs"

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1df24147-8eae-44b8-aa4a-1aecdbb4a5f7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ebc5b65-b5f7-49ae-82d6-92aea4f64404.vbs"

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33ac1b40-0212-4318-805c-875e831b8cc4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33906f0c-8bb5-49e7-8a9a-88f53a877304.vbs"

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af5c8f99-bc44-435b-b255-a4049cf272b4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3007ba6-efe9-4452-9159-8a9acbf15039.vbs"

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6ec34ea-fbdb-4f6a-9803-c8ff588e6b37.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\debcb75f-be70-45c6-b46a-3b8d32ec91d9.vbs"

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24901394-deda-4337-b718-0a3709822930.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fd11f68-b667-4f21-bfd4-1a23413e4931.vbs"

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tool5245636476.000webhostapp.com udp
US 145.14.144.155:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.155:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.155:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.155:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.155:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 tool5245636476.000webhostapp.com udp
US 145.14.145.67:80 tool5245636476.000webhostapp.com tcp
US 145.14.145.67:80 tool5245636476.000webhostapp.com tcp
US 145.14.145.67:80 tool5245636476.000webhostapp.com tcp
US 145.14.145.67:80 tool5245636476.000webhostapp.com tcp
US 145.14.145.67:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 tool5245636476.000webhostapp.com udp
US 145.14.144.34:80 tool5245636476.000webhostapp.com tcp

Files

memory/3024-0-0x00000000003A0000-0x000000000070A000-memory.dmp

memory/3024-1-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

memory/3024-2-0x000000001B510000-0x000000001B590000-memory.dmp

memory/3024-3-0x0000000000250000-0x000000000025E000-memory.dmp

memory/3024-4-0x0000000000260000-0x000000000026E000-memory.dmp

memory/3024-5-0x0000000000270000-0x0000000000278000-memory.dmp

memory/3024-6-0x0000000000280000-0x000000000029C000-memory.dmp

memory/3024-7-0x0000000000390000-0x0000000000398000-memory.dmp

memory/3024-8-0x0000000000880000-0x0000000000890000-memory.dmp

memory/3024-9-0x0000000000890000-0x00000000008A6000-memory.dmp

memory/3024-10-0x00000000008B0000-0x00000000008B8000-memory.dmp

memory/3024-11-0x00000000008D0000-0x00000000008E2000-memory.dmp

memory/3024-12-0x00000000008C0000-0x00000000008CC000-memory.dmp

memory/3024-13-0x00000000008E0000-0x00000000008E8000-memory.dmp

memory/3024-14-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/3024-15-0x0000000000A80000-0x0000000000A8A000-memory.dmp

memory/3024-16-0x0000000000A90000-0x0000000000AE6000-memory.dmp

memory/3024-17-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

memory/3024-18-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

memory/3024-19-0x0000000000B00000-0x0000000000B0C000-memory.dmp

memory/3024-20-0x0000000000B10000-0x0000000000B18000-memory.dmp

memory/3024-21-0x0000000000B20000-0x0000000000B32000-memory.dmp

memory/3024-22-0x0000000000B30000-0x0000000000B3C000-memory.dmp

memory/3024-23-0x0000000002580000-0x000000000258C000-memory.dmp

memory/3024-24-0x0000000002590000-0x0000000002598000-memory.dmp

memory/3024-25-0x00000000025A0000-0x00000000025AC000-memory.dmp

memory/3024-26-0x00000000025B0000-0x00000000025BC000-memory.dmp

memory/3024-27-0x00000000025F0000-0x00000000025F8000-memory.dmp

memory/3024-28-0x00000000025C0000-0x00000000025CC000-memory.dmp

memory/3024-30-0x00000000025E0000-0x00000000025EE000-memory.dmp

memory/3024-29-0x00000000025D0000-0x00000000025DA000-memory.dmp

memory/3024-32-0x0000000002610000-0x000000000261E000-memory.dmp

memory/3024-31-0x0000000002600000-0x0000000002608000-memory.dmp

memory/3024-33-0x0000000002620000-0x0000000002628000-memory.dmp

memory/3024-34-0x0000000002630000-0x000000000263C000-memory.dmp

memory/3024-35-0x0000000002640000-0x0000000002648000-memory.dmp

memory/3024-36-0x000000001AB60000-0x000000001AB6A000-memory.dmp

memory/3024-37-0x000000001AB70000-0x000000001AB7C000-memory.dmp

C:\Windows\it-IT\System.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\6duSsQqWjw.bat

MD5 b8db43950d59d33b301ce5289334c524
SHA1 6d2e12ff0ca4b491042ed3c15139915739c9c1ff
SHA256 8873190d01964c01f592b03bf952862ca639fff15c1b926e1e7a3d269e954b20
SHA512 1bc800e05839d47432103f5faed9e028bc92035b12f6e296001f8bb4fe490fb674f4a93d24dd0bc199c3643082bb124605c03243b30f1cb2ee6c9c247b3a766b

memory/3024-63-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/1512-66-0x0000000000EB0000-0x000000000121A000-memory.dmp

memory/1512-67-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

memory/1512-68-0x000000001B380000-0x000000001B400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41bd7273-2680-4f7c-aecc-d77a0b6c30fa.vbs

MD5 4a54a34649442f0359c53752d864abfe
SHA1 b1132f2582ffb617a14f2562dbd22a94f3445da1
SHA256 51e777f816adcf889011c8c66c79d6e7f808e0ee5214f4cc2f1c25b40bbcb1be
SHA512 27ae9b3e2b38135b89c715c3043b0e218189ebf9f3154f1565ffa81ceaf0c6c0a6b9daf088773c8fe4828be530478d592c49c2f15f2286db6b55fd9a2200c923

C:\Users\Admin\AppData\Local\Temp\7920eb4f-cf22-4b66-a82b-19ad5ed510fa.vbs

MD5 941528fb958adec2b55a4c03d35bdd04
SHA1 d911920e590c86e68debfd48dc6805f635c44aa9
SHA256 8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA512 5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

memory/1512-78-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/3012-80-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

memory/3012-81-0x000000001B230000-0x000000001B2B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\32074192-775f-4aa9-ae35-b7a842be07ed.vbs

MD5 941528fb958adec2b55a4c03d35bdd04
SHA1 d911920e590c86e68debfd48dc6805f635c44aa9
SHA256 8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA512 5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

C:\Users\Admin\AppData\Local\Temp\67bf951a-fd49-4fe8-88da-62ad79b45680.vbs

MD5 e3cad206201de24d9cba776c97a35ebf
SHA1 508fb21fea551a78d5f6b27c0bd5bbf3f27b4bf8
SHA256 4ac76b5081e68b0677566e5991e8dba375c395b4ac42ea429366324361341b66
SHA512 e119e2a58637b3982ded6aad04514fa11de2ce34375c7e4f719631d6e04f8524351939f45f26589c5d01d049674d4f02b0d88602bdaaacfb619c2b517524c646

C:\Users\Admin\AppData\Local\Temp\32074192-775f-4aa9-ae35-b7a842be07ed.vbs

MD5 941528fb958adec2b55a4c03d35bdd04
SHA1 d911920e590c86e68debfd48dc6805f635c44aa9
SHA256 8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA512 5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

memory/3012-92-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/2600-94-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\46535dec-4736-494f-9c64-c2c0add82f7d.vbs

MD5 cbbb8087351e21de19b5ca76567e6559
SHA1 03329d71f523208c935e2953a71fc3b33b74cce6
SHA256 cafaab16c92c34a120eb2e156f7abc74e75711c417eb9d678cf6fb5480010fe5
SHA512 1ca6d9574bc8df72eb11969d22a18f29839ea7c332307dc4ea963156b33b3bf723c790a1fb183d7819096172655008658962fafae161800b3fdd16ff12021714

C:\Users\Admin\AppData\Local\Temp\e43a469b-893c-417d-8ab7-4f7bf027ec9b.vbs

MD5 941528fb958adec2b55a4c03d35bdd04
SHA1 d911920e590c86e68debfd48dc6805f635c44aa9
SHA256 8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA512 5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

memory/2600-105-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/2856-107-0x00000000001B0000-0x000000000051A000-memory.dmp

memory/2856-108-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

memory/2856-109-0x00000000009D0000-0x00000000009E2000-memory.dmp

memory/2856-110-0x000000001AF20000-0x000000001AF76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\3544b973-88a7-4a99-a6c8-98ea7fa12259.vbs

MD5 de929189f6aedc176bf467cbc2938ac5
SHA1 3a7f3b712f722d08219525eadd569970ab65b6b3
SHA256 ce491f39cb5ab7b03292ded7e8e052062126f109e4225f8cc2318e7f3d7f77de
SHA512 8d39eeb9174668b4d6dfed839ca734aaf8f4ba4b776f91af5844c094dea2385dbf804982b6feb4910325846d26867c7ec298f85fc6012ed165cede87f6a53b6b

C:\Users\Admin\AppData\Local\Temp\c45932db-425b-48ca-9063-ad2734cf808c.vbs

MD5 941528fb958adec2b55a4c03d35bdd04
SHA1 d911920e590c86e68debfd48dc6805f635c44aa9
SHA256 8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA512 5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

memory/2856-121-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/680-124-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

memory/680-123-0x0000000000B30000-0x0000000000E9A000-memory.dmp

memory/680-125-0x0000000002710000-0x0000000002790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\2c0b2dcb-6e82-4d0b-89a2-a0951f2de7f2.vbs

MD5 a3b878a5936f511d737e228a8c8009df
SHA1 aa08a3ac58f115fe46c0543a408a30152519b636
SHA256 723cb9dbe34cc317b613b9c8265b79c63842dedacaf9ed682637f47e74484c74
SHA512 13e1e5478588828306433fed9cd0cb69794a54f9f60cad5b9d51807a3a1540fd6d1815ea8bd14f12e3ca2697a259402635721859b1f1a2e76572f4c48ea8cb58

C:\Users\Admin\AppData\Local\Temp\d86c347e-9dad-4cd7-ac18-51ea8ce513f9.vbs

MD5 941528fb958adec2b55a4c03d35bdd04
SHA1 d911920e590c86e68debfd48dc6805f635c44aa9
SHA256 8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA512 5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

memory/680-136-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/2860-138-0x0000000000C40000-0x0000000000FAA000-memory.dmp

memory/2860-140-0x000000001AC80000-0x000000001AD00000-memory.dmp

memory/2860-139-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\c334203c-f3a8-49b0-bd6b-7b0ca72b947b.vbs

MD5 b333efd4eba715f6ab7e7de7abb08683
SHA1 0ba0d56132680b5b7bc47066cba159440f6a1d6a
SHA256 5068da928326ba676c020ed59121d1bc7d398ede0b4439135f2002241f7ac54c
SHA512 e4a33146e96e07414619e1e3a5148e48b121198631694fb403e17518b2f449c166a0b32d265cd2a0f45f81cfc39de96e648640b864125cdb55e1e3b95b9664cd

C:\Users\Admin\AppData\Local\Temp\5f9d0660-ddb6-4918-8caa-57331b96e6bb.vbs

MD5 941528fb958adec2b55a4c03d35bdd04
SHA1 d911920e590c86e68debfd48dc6805f635c44aa9
SHA256 8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA512 5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

memory/2860-151-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/1804-153-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

memory/1804-154-0x0000000000600000-0x0000000000680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\1df24147-8eae-44b8-aa4a-1aecdbb4a5f7.vbs

MD5 23b0246418d38465028152d1d431d122
SHA1 aad6af8380f6d21424346453e10600384730bdac
SHA256 34d9bc568374347246d6f16a137d073dea7eb840ba344b0408d5037268150750
SHA512 ea4b88872291313a474d492393cfc7f9542038a835a0658316b6be8953c143807a9c391531b58b44f42d30a2e5bd79020847bd985906df59711804e8527f1bd5

C:\Users\Admin\AppData\Local\Temp\4ebc5b65-b5f7-49ae-82d6-92aea4f64404.vbs

MD5 941528fb958adec2b55a4c03d35bdd04
SHA1 d911920e590c86e68debfd48dc6805f635c44aa9
SHA256 8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA512 5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

memory/1804-165-0x000007FEF49B0000-0x000007FEF539C000-memory.dmp

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\33ac1b40-0212-4318-805c-875e831b8cc4.vbs

MD5 4b469cf4305015c315ee8da0c5d81232
SHA1 c8e9faec266a6c0091c5a8948b34520364327500
SHA256 564541da59ba974c295ed714d0227f6bbf59b66419b52ec67f4fafcec73a5850
SHA512 cd331a7728be56ba0df4a6fd05959fc694826182f09482518876535e1913783dd7d37512b83c79428e24403f4826cfce358b912c841b180f519bdea4894ed2bb

C:\Users\Admin\AppData\Local\Temp\33906f0c-8bb5-49e7-8a9a-88f53a877304.vbs

MD5 941528fb958adec2b55a4c03d35bdd04
SHA1 d911920e590c86e68debfd48dc6805f635c44aa9
SHA256 8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA512 5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\af5c8f99-bc44-435b-b255-a4049cf272b4.vbs

MD5 fa94d1e3e259ee0f921f3a23d1eb42da
SHA1 12cbb1eb58bea6490a32d076a2df2e9c2ccfa405
SHA256 99e3b77a0b3616c91fd83b3dd20eca775dd1b1516994d2307d2b1133713a3fc8
SHA512 b45de7e3414398ac7f8d3b0854713ab3ad77563bf895f0848c19dabed448899932d895aa25779fb415ed92693096f2592d2e5a0916f4836bb326091da2f7acf2

C:\Users\Admin\AppData\Local\Temp\e3007ba6-efe9-4452-9159-8a9acbf15039.vbs

MD5 941528fb958adec2b55a4c03d35bdd04
SHA1 d911920e590c86e68debfd48dc6805f635c44aa9
SHA256 8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA512 5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\debcb75f-be70-45c6-b46a-3b8d32ec91d9.vbs

MD5 941528fb958adec2b55a4c03d35bdd04
SHA1 d911920e590c86e68debfd48dc6805f635c44aa9
SHA256 8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA512 5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

C:\Users\Admin\AppData\Local\Temp\e6ec34ea-fbdb-4f6a-9803-c8ff588e6b37.vbs

MD5 b77e7e684a3d983929bafa8ccc16ef78
SHA1 34a08ada212b2bd57847cf80144c345a8badfd81
SHA256 2745062dea6a2c57e4591ea516dc8e5914344296010707f891d665d36fc78108
SHA512 ca5466cb094b058c918749de09069c37815ca67f0c6d116e1966f3806603e463a74db2b18b41c306182ae8a5cef14baa62f3a3c5fc3c98b2e369484a8694610e

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\c4a9763be62e12dd57f16f0d2de313a58f920e36.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\24901394-deda-4337-b718-0a3709822930.vbs

MD5 579cc0a8dba7ff07a44200fef2f7955a
SHA1 3cfe75d627dc3932909dbbc7f09a7a7b933c18ef
SHA256 a9ba626a911a33318094e235f07c36c89d924ac40199a7c7f553096e07dfdf28
SHA512 da654bba8c47b0bf3b8e824cf4a0dec3d07f6f6e7b6253481c41b1ae14b8b0cceaf677f576de5e4dfec58fc77f247e91dce6c6d18b1b20953aab967ced145a1c

C:\Users\Admin\AppData\Local\Temp\9fd11f68-b667-4f21-bfd4-1a23413e4931.vbs

MD5 941528fb958adec2b55a4c03d35bdd04
SHA1 d911920e590c86e68debfd48dc6805f635c44aa9
SHA256 8830e6d5702231fe44251c68ff440abbeeac4d6a5e93e0d2a1661675add56544
SHA512 5ed64db5265acef22744825e44c8a693da43f1993d05f63c85dcef856371da3c0bddcd3432543eae9fa277a4184968280d1dd836662614eb90658b0ab899c068

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe

MD5 fe352ec25397d2c4a7454b13533f2ceb
SHA1 21527a7d603408c01a68081ebc0890133d018625
SHA256 1ff67df58a33ef26207e0f16a25a1a6658676fdd88e985d6b3b9ac0dbd2e0509
SHA512 3be4c13cfb9177905e46efb41120e98f7280b1990c48ed3e1f7df90255b0b832fe9d85748671067191d3e07651c58da2b2dfac4989258017dd450554dbc0ceb9

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 00:21

Reported

2023-12-07 00:23

Platform

win10v2004-20231130-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Default\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Default\\lsass.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Default\\lsass.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Default\\lsass.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\winlogon.exe\", \"C:\\odt\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Default\\lsass.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Default\\lsass.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\", \"C:\\odt\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\Services\\upfc.exe\", \"C:\\Users\\Admin\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Default\\lsass.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\Idle.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\odt\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\odt\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\odt\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\odt\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\odt\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Common Files\\Services\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Office\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\odt\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Reference Assemblies\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\All Users\\WindowsHolographicDevices\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Common Files\\Services\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\SoftwareDistribution\\EventCache.v2\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Office\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files\Common Files\Services\upfc.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files\Microsoft Office\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Idle.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\csrss.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files\Microsoft Office\winlogon.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files\Common Files\Services\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\EventCache.v2\smss.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Windows\SoftwareDistribution\EventCache.v2\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Recovery\WindowsRE\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Recovery\WindowsRE\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Recovery\WindowsRE\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Recovery\WindowsRE\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Recovery\WindowsRE\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Recovery\WindowsRE\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Recovery\WindowsRE\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Recovery\WindowsRE\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Recovery\WindowsRE\Idle.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A
N/A N/A C:\Recovery\WindowsRE\Idle.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe C:\Windows\System32\cmd.exe
PID 1612 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe C:\Windows\System32\cmd.exe
PID 1716 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1716 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1716 wrote to memory of 3840 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\Idle.exe
PID 1716 wrote to memory of 3840 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\Idle.exe
PID 3840 wrote to memory of 1684 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 3840 wrote to memory of 1684 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 3840 wrote to memory of 4268 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 3840 wrote to memory of 4268 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 1684 wrote to memory of 4580 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 1684 wrote to memory of 4580 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 4580 wrote to memory of 3928 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 4580 wrote to memory of 3928 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 4580 wrote to memory of 3464 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 4580 wrote to memory of 3464 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 3928 wrote to memory of 1432 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 3928 wrote to memory of 1432 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 1432 wrote to memory of 212 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 1432 wrote to memory of 212 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 1432 wrote to memory of 4584 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 1432 wrote to memory of 4584 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 212 wrote to memory of 3756 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 212 wrote to memory of 3756 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 3756 wrote to memory of 2728 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 3756 wrote to memory of 2728 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 3756 wrote to memory of 4992 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 3756 wrote to memory of 4992 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 2728 wrote to memory of 2480 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 2728 wrote to memory of 2480 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 2480 wrote to memory of 4264 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 2480 wrote to memory of 4264 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 2480 wrote to memory of 4712 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 2480 wrote to memory of 4712 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 4264 wrote to memory of 3276 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 4264 wrote to memory of 3276 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 3276 wrote to memory of 4764 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 3276 wrote to memory of 4764 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 3276 wrote to memory of 3868 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 3276 wrote to memory of 3868 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 4764 wrote to memory of 3928 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 4764 wrote to memory of 3928 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 3928 wrote to memory of 3916 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 3928 wrote to memory of 3916 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 3928 wrote to memory of 2664 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 3928 wrote to memory of 2664 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 3916 wrote to memory of 4344 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 3916 wrote to memory of 4344 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 4344 wrote to memory of 884 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 4344 wrote to memory of 884 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 4344 wrote to memory of 4936 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 4344 wrote to memory of 4936 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 884 wrote to memory of 2300 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 884 wrote to memory of 2300 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\Idle.exe
PID 2300 wrote to memory of 4236 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 2300 wrote to memory of 4236 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 2300 wrote to memory of 2848 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe
PID 2300 wrote to memory of 2848 N/A C:\Recovery\WindowsRE\Idle.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\Idle.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe

"C:\Users\Admin\AppData\Local\Temp\20ec8d347f674ebadc53399ef6aa49cb.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\EventCache.v2\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\EventCache.v2\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\EventCache.v2\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\odt\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\odt\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\WindowsHolographicDevices\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\odt\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\odt\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Services\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\odt\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\odt\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gLRQn5jy2W.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\Idle.exe

"C:\Recovery\WindowsRE\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\327d7c89-d934-45bb-922f-f703e4be55af.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\890a8615-d6c4-40c9-b70e-85a087ce95af.vbs"

C:\Recovery\WindowsRE\Idle.exe

C:\Recovery\WindowsRE\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8998bce-3d4f-4009-9c0e-8859ba9e4e69.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51683b07-20a1-481b-ae4d-46c92f221e37.vbs"

C:\Recovery\WindowsRE\Idle.exe

C:\Recovery\WindowsRE\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\280fb390-02cf-4940-8bb4-69894669b0d2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc7277b3-a0f4-4206-b080-bbf008e3b930.vbs"

C:\Recovery\WindowsRE\Idle.exe

C:\Recovery\WindowsRE\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4476a622-1239-419c-b12b-b6fd93def516.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\730e9bea-b176-43ad-bad1-6cbd98c3f3cd.vbs"

C:\Recovery\WindowsRE\Idle.exe

C:\Recovery\WindowsRE\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\444a57c1-dd60-404b-ba4d-5dfd0391b452.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcbe1fe4-5f7b-429e-b978-d6b1210415b7.vbs"

C:\Recovery\WindowsRE\Idle.exe

C:\Recovery\WindowsRE\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af648bd0-9af2-4566-bd36-ab77e32f2b77.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb6e415c-b047-4c37-b09d-4ca051d12f13.vbs"

C:\Recovery\WindowsRE\Idle.exe

C:\Recovery\WindowsRE\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8613c36d-90fd-44f6-bcf1-a7f4daa67318.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54b8b15f-5f75-4b0c-bf4d-3daec22dc83d.vbs"

C:\Recovery\WindowsRE\Idle.exe

C:\Recovery\WindowsRE\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca8a3790-a6e7-40c1-bc29-9e5df56f381e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e93a1958-dab5-4132-a428-abebcca164c4.vbs"

C:\Recovery\WindowsRE\Idle.exe

C:\Recovery\WindowsRE\Idle.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dbcc325-c951-4d65-9c86-32a0bdca3b2e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efdf0b09-e918-4bb2-84df-5455f3c8ade8.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tool5245636476.000webhostapp.com udp
US 145.14.144.155:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 155.144.14.145.in-addr.arpa udp
US 145.14.144.155:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.155:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 145.14.144.155:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.155:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.155:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 145.14.144.155:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 tool5245636476.000webhostapp.com udp
US 145.14.144.66:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 145.14.144.66:80 tool5245636476.000webhostapp.com tcp
US 145.14.144.66:80 tool5245636476.000webhostapp.com tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/1612-0-0x0000000000390000-0x00000000006FA000-memory.dmp

memory/1612-1-0x00007FFE6E7F0000-0x00007FFE6F2B1000-memory.dmp

memory/1612-2-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

memory/1612-3-0x0000000000DC0000-0x0000000000DCE000-memory.dmp

memory/1612-4-0x0000000000E30000-0x0000000000E3E000-memory.dmp

memory/1612-5-0x0000000001090000-0x0000000001098000-memory.dmp

memory/1612-6-0x00000000010A0000-0x00000000010BC000-memory.dmp

memory/1612-7-0x00000000029F0000-0x0000000002A40000-memory.dmp

memory/1612-8-0x00000000010C0000-0x00000000010C8000-memory.dmp

memory/1612-9-0x00000000010D0000-0x00000000010E0000-memory.dmp

memory/1612-10-0x00000000010E0000-0x00000000010F6000-memory.dmp

memory/1612-11-0x0000000001100000-0x0000000001108000-memory.dmp

memory/1612-12-0x0000000001110000-0x0000000001122000-memory.dmp

memory/1612-13-0x0000000001130000-0x000000000113C000-memory.dmp

memory/1612-17-0x000000001BCB0000-0x000000001BD06000-memory.dmp

memory/1612-16-0x0000000002A50000-0x0000000002A5A000-memory.dmp

memory/1612-15-0x0000000002A40000-0x0000000002A50000-memory.dmp

memory/1612-14-0x0000000001120000-0x0000000001128000-memory.dmp

memory/1612-18-0x000000001BD00000-0x000000001BD0C000-memory.dmp

memory/1612-19-0x000000001BD10000-0x000000001BD18000-memory.dmp

memory/1612-20-0x000000001BE20000-0x000000001BE2C000-memory.dmp

memory/1612-21-0x000000001BD20000-0x000000001BD28000-memory.dmp

memory/1612-22-0x000000001BD30000-0x000000001BD42000-memory.dmp

memory/1612-23-0x000000001C360000-0x000000001C888000-memory.dmp

memory/1612-24-0x000000001BD60000-0x000000001BD6C000-memory.dmp

memory/1612-25-0x000000001BD70000-0x000000001BD7C000-memory.dmp

memory/1612-26-0x000000001BD80000-0x000000001BD88000-memory.dmp

memory/1612-27-0x000000001BD90000-0x000000001BD9C000-memory.dmp

memory/1612-28-0x000000001BDA0000-0x000000001BDAC000-memory.dmp

memory/1612-29-0x000000001BDB0000-0x000000001BDB8000-memory.dmp

memory/1612-30-0x000000001BDC0000-0x000000001BDCC000-memory.dmp

memory/1612-31-0x000000001BDD0000-0x000000001BDDA000-memory.dmp

memory/1612-32-0x000000001BDE0000-0x000000001BDEE000-memory.dmp

memory/1612-33-0x000000001BDF0000-0x000000001BDF8000-memory.dmp

memory/1612-34-0x000000001BE00000-0x000000001BE0E000-memory.dmp

memory/1612-35-0x000000001BE10000-0x000000001BE18000-memory.dmp

memory/1612-37-0x000000001C040000-0x000000001C048000-memory.dmp

memory/1612-38-0x000000001C050000-0x000000001C05A000-memory.dmp

memory/1612-36-0x000000001C030000-0x000000001C03C000-memory.dmp

memory/1612-39-0x000000001C060000-0x000000001C06C000-memory.dmp

C:\ProgramData\WindowsHolographicDevices\OfficeClickToRun.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\gLRQn5jy2W.bat

MD5 8bd2b7ede91ecfc7b58052536f2b7ec7
SHA1 04172e6c52259f4a9c195cd473a5e85b343deab3
SHA256 a8cd99a539aa1622ce415f6126e457fa03a5397a962f18b1c403c87d2daed57a
SHA512 822e2e954a9528103fdd62a62fff36e93672be1bb42a5ff9ce3cb8c213f8e8828befd667d6980ad3a12bf63434f9c35bf6f5a1b60a449143ae01bee2f329ff6f

memory/1612-84-0x00007FFE6E7F0000-0x00007FFE6F2B1000-memory.dmp

C:\Recovery\WindowsRE\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Recovery\WindowsRE\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/3840-89-0x000000001B5F0000-0x000000001B600000-memory.dmp

memory/3840-88-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\327d7c89-d934-45bb-922f-f703e4be55af.vbs

MD5 9c0778de2ff06827464a84a2450cc3ad
SHA1 685667a52b25babc302f5a410310d70c1589b0ac
SHA256 6893f416819ee06870e6b87164193910f8a1ddab0218737dcd416e16870b2414
SHA512 d821cda6d008a16a4844fc479be04a94a0b9e8deddb43d14e83005e6ca4c5182d5a2db681137125bbf6108672f528ec5bbd729333d83cb4fe9b9fdbff53596a7

C:\Users\Admin\AppData\Local\Temp\890a8615-d6c4-40c9-b70e-85a087ce95af.vbs

MD5 9e639d038c856f39aabd1fbd4becc9ef
SHA1 a89f190f2f235d9039fefd566a814116cb8ca913
SHA256 29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512 b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

memory/3840-100-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

C:\Recovery\WindowsRE\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

MD5 49b64127208271d8f797256057d0b006
SHA1 b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA256 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512 f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

memory/4580-103-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

memory/4580-104-0x000000001B750000-0x000000001B760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\51683b07-20a1-481b-ae4d-46c92f221e37.vbs

MD5 9e639d038c856f39aabd1fbd4becc9ef
SHA1 a89f190f2f235d9039fefd566a814116cb8ca913
SHA256 29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512 b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

C:\Users\Admin\AppData\Local\Temp\c8998bce-3d4f-4009-9c0e-8859ba9e4e69.vbs

MD5 9071e6059286afe0ef7772ea202441da
SHA1 9f690276214537b14129e3b5d7b940052f5b4b92
SHA256 e8e766a0e8c90a22563d2937b010f887224759e67603e2339976129cf4169724
SHA512 7997723841139ea3e6d41a8f975b51cc97f5236decf84f87921b1694b991122db1c05ab6400450561802e626c945a6e64456da90022ea56a17a7733cf2d20eb4

C:\Users\Admin\AppData\Local\Temp\51683b07-20a1-481b-ae4d-46c92f221e37.vbs

MD5 9e639d038c856f39aabd1fbd4becc9ef
SHA1 a89f190f2f235d9039fefd566a814116cb8ca913
SHA256 29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512 b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

memory/4580-115-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

C:\Recovery\WindowsRE\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/1432-117-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

memory/1432-118-0x00000000019B0000-0x00000000019C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\280fb390-02cf-4940-8bb4-69894669b0d2.vbs

MD5 a32163308b7c7c65325f10614f00babf
SHA1 d789b82a033dc7721f17651fbf430ef67bce38ac
SHA256 a520c5d5bf2cf19b5b6d485192d9deecbb84a4bdb86861e48a44b0a63b732ac8
SHA512 649dd943668c9995f85bbd71d63d590fa1e95b0a699f0b64dca55e5f31930b9a56d2c3ba0ea3d52115a58dd8630cccd0b55661e76b82f3eec6232995fb5ecc1f

C:\Users\Admin\AppData\Local\Temp\bc7277b3-a0f4-4206-b080-bbf008e3b930.vbs

MD5 9e639d038c856f39aabd1fbd4becc9ef
SHA1 a89f190f2f235d9039fefd566a814116cb8ca913
SHA256 29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512 b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

memory/1432-129-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

C:\Recovery\WindowsRE\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/3756-131-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

memory/3756-132-0x00000000015D0000-0x00000000015E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\4476a622-1239-419c-b12b-b6fd93def516.vbs

MD5 a67b70ea5afd738b4ad2a3e724da5d40
SHA1 e99d42a6eebe4003d1482cb5f62cf8d84681967f
SHA256 3e5fc79f7144242b07470796a5412a441ef6c14f11ed2d0c6a138ada26167274
SHA512 aba154c10995978332397e1e7f529bd5ec42bb44869747e28a5d309a5235e1a99946a4df559b31c01b9a8065a733327cbf86f89afa8efdf5c1d4263efe38f3f4

C:\Users\Admin\AppData\Local\Temp\730e9bea-b176-43ad-bad1-6cbd98c3f3cd.vbs

MD5 9e639d038c856f39aabd1fbd4becc9ef
SHA1 a89f190f2f235d9039fefd566a814116cb8ca913
SHA256 29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512 b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

memory/3756-143-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

C:\Recovery\WindowsRE\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/2480-145-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

memory/2480-146-0x000000001B510000-0x000000001B520000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\444a57c1-dd60-404b-ba4d-5dfd0391b452.vbs

MD5 f1981cded8c737feff3c0df65d841968
SHA1 5e02aa4e8b6e522b60b2b301da3c7ba3d37524aa
SHA256 41191250ed6b77849d403cfaecc043e86ccf9ec25674d495ec04647b1795d426
SHA512 e97d9dc8534e69103d5b532bbc37225aff27b40c2ac3debeb72934776d023f9a27c7e04458cecb52e58c8b1aaa81b969a79b577291f8184e3494fe9f2dd0a19e

C:\Users\Admin\AppData\Local\Temp\bcbe1fe4-5f7b-429e-b978-d6b1210415b7.vbs

MD5 9e639d038c856f39aabd1fbd4becc9ef
SHA1 a89f190f2f235d9039fefd566a814116cb8ca913
SHA256 29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512 b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

memory/2480-157-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

C:\Recovery\WindowsRE\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/3276-159-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

memory/3276-160-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\af648bd0-9af2-4566-bd36-ab77e32f2b77.vbs

MD5 77ee81e221338d48988c781fd958057e
SHA1 201444d030b8eb444c5f876ff39a3de783b10971
SHA256 d5ee4fd6ebd981926610464e24341b446fb8a9f1e4ddb996ea338ee249ec6180
SHA512 5120825640b14dccb6b807985f780171bead8fb355fb0cf43a7324d55293a6240e9978bef8f49decff0e2c48fb09ecb44ee23e0c62dfb90c6725104ea9e2587e

C:\Users\Admin\AppData\Local\Temp\eb6e415c-b047-4c37-b09d-4ca051d12f13.vbs

MD5 9e639d038c856f39aabd1fbd4becc9ef
SHA1 a89f190f2f235d9039fefd566a814116cb8ca913
SHA256 29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512 b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

memory/3276-171-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

C:\Recovery\WindowsRE\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/3928-173-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

memory/3928-174-0x0000000000FF0000-0x0000000001000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\8613c36d-90fd-44f6-bcf1-a7f4daa67318.vbs

MD5 6660635041bc83949ed6d29065c97492
SHA1 4d9699342582ef91ef9223b5df15ced539959028
SHA256 cdfcd6d0d3bd63b4f3c5f0dd95defe4e6f18a5926e1f6de3154912dfeb180de9
SHA512 0215af55a8dd9f81be4dc9e13474c08c92005f00322eed52e07d55f7c86d8080ccb706bf530127e094406c2978770005683806d84c78e13d914a560c5e8e01cf

C:\Users\Admin\AppData\Local\Temp\54b8b15f-5f75-4b0c-bf4d-3daec22dc83d.vbs

MD5 9e639d038c856f39aabd1fbd4becc9ef
SHA1 a89f190f2f235d9039fefd566a814116cb8ca913
SHA256 29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512 b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

memory/3928-185-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

C:\Recovery\WindowsRE\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

memory/4344-187-0x00007FFE6E6C0000-0x00007FFE6F181000-memory.dmp

memory/4344-188-0x000000001BF80000-0x000000001BF90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\ca8a3790-a6e7-40c1-bc29-9e5df56f381e.vbs

MD5 eef485156adaac0047dc106227efed52
SHA1 3dd18ff24e98aeee8243b4f0f04ddbdcb5747d8f
SHA256 c9826d70ba7e04fb1ec653cf3803268c15ab4b9f24b00fca9efb0a0053426b1b
SHA512 6c7c63f79c33c03a68047c58c6427025a6b5fcadbbd60a64569f6f2f249b53ab1a2950b77e4a9e72e4f206d800eb14f01265befef4f2c95f9803bbef6ed828f4

C:\Users\Admin\AppData\Local\Temp\e93a1958-dab5-4132-a428-abebcca164c4.vbs

MD5 9e639d038c856f39aabd1fbd4becc9ef
SHA1 a89f190f2f235d9039fefd566a814116cb8ca913
SHA256 29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512 b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4

C:\Recovery\WindowsRE\Idle.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\5bb2b87cf27a024d00107e7ee845fa2ec61451a0.exe

MD5 20ec8d347f674ebadc53399ef6aa49cb
SHA1 f418d228eb276f216b4986b55b2c762d11991a31
SHA256 9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
SHA512 e12b33da63567ab715a3040b3117ab52e98fe4d865811b4c9c4c17ef018c80a73cd2325f6a794d57c87b5065e41147df5d2246ffec5099b70c6d8c2330acfd44

C:\Users\Admin\AppData\Local\Temp\2dbcc325-c951-4d65-9c86-32a0bdca3b2e.vbs

MD5 0123a3feebc04de019335c4d2ebf8be7
SHA1 ff3b83d575dafae7b76247dd4c68197ec7b4b1c6
SHA256 5504f7a63995932fe5f059f28c74c548c9cb69ca937d64472336d41ba999e2bc
SHA512 f04956eeaeefa745d3ab2185928d66cc8410e881b2857354de0d0e23246b2991c6f294c3047201584dcda0a513a884b495ccf4844782cc39d3cca8ac006c7206

C:\Users\Admin\AppData\Local\Temp\efdf0b09-e918-4bb2-84df-5455f3c8ade8.vbs

MD5 9e639d038c856f39aabd1fbd4becc9ef
SHA1 a89f190f2f235d9039fefd566a814116cb8ca913
SHA256 29948f44976c8cdb9b673a2050ed09d7a26347c2d717ad416e1457818cb43b58
SHA512 b29c59adbc79463ec1131c673eae74437487455a9dfe258ff21f82ad5e139e2a02a0ac67e92254b9b7cbab36d87347c00c448351e06d59e2b7069f2106f486d4