Malware Analysis Report

2025-06-15 19:46

Sample ID 240324-r5amzadc92
Target 1994f3ef2118aeecbb74e6c8976fd47b.exe
SHA256 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
Tags
dcrat evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c

Threat Level: Known bad

The file 1994f3ef2118aeecbb74e6c8976fd47b.exe was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat trojan

Dcrat family

DcRat

DCRat payload

UAC bypass

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Creates scheduled task(s)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-24 14:46

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-24 14:46

Reported

2024-03-24 14:48

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Windows\IME\sihost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\IME\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files\dotnet\swidtag\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files\dotnet\swidtag\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\IME\sihost.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Windows\IME\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Windows\rescache\_merged\1973483750\csrss.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Windows\DigitalLocker\en-US\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Windows\DigitalLocker\en-US\24dbde2999530e C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\56085415360792 C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Windows\IME\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Windows\IME\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Windows\IME\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Windows\IME\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Windows\IME\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Windows\IME\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Windows\IME\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Windows\IME\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Windows\IME\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Windows\IME\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings C:\Windows\IME\sihost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A
N/A N/A C:\Windows\IME\sihost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\sihost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3652 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe C:\Windows\IME\sihost.exe
PID 3652 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe C:\Windows\IME\sihost.exe
PID 2824 wrote to memory of 3016 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 2824 wrote to memory of 3016 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 2824 wrote to memory of 2384 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 2824 wrote to memory of 2384 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 3016 wrote to memory of 2340 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 3016 wrote to memory of 2340 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 2340 wrote to memory of 3304 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 2340 wrote to memory of 3304 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 2340 wrote to memory of 4544 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 2340 wrote to memory of 4544 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 3304 wrote to memory of 1600 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 3304 wrote to memory of 1600 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 1600 wrote to memory of 4668 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 1600 wrote to memory of 4668 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 1600 wrote to memory of 3248 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 1600 wrote to memory of 3248 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 4668 wrote to memory of 5100 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 4668 wrote to memory of 5100 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 5100 wrote to memory of 1180 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 5100 wrote to memory of 1180 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 5100 wrote to memory of 4960 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 5100 wrote to memory of 4960 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 1180 wrote to memory of 736 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 1180 wrote to memory of 736 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 736 wrote to memory of 3836 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 736 wrote to memory of 3836 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 736 wrote to memory of 3736 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 736 wrote to memory of 3736 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 3836 wrote to memory of 1004 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 3836 wrote to memory of 1004 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 1004 wrote to memory of 3956 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 1004 wrote to memory of 3956 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 1004 wrote to memory of 5000 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 1004 wrote to memory of 5000 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 3956 wrote to memory of 800 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 3956 wrote to memory of 800 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 800 wrote to memory of 4268 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 800 wrote to memory of 4268 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 800 wrote to memory of 2308 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 800 wrote to memory of 2308 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 4268 wrote to memory of 1816 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 4268 wrote to memory of 1816 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 1816 wrote to memory of 4564 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 1816 wrote to memory of 4564 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 1816 wrote to memory of 1284 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 1816 wrote to memory of 1284 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 4564 wrote to memory of 5032 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 4564 wrote to memory of 5032 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 5032 wrote to memory of 2824 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 5032 wrote to memory of 2824 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 5032 wrote to memory of 4964 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 5032 wrote to memory of 4964 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 2824 wrote to memory of 2524 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 2824 wrote to memory of 2524 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 2524 wrote to memory of 948 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 2524 wrote to memory of 948 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 2524 wrote to memory of 2016 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 2524 wrote to memory of 2016 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 948 wrote to memory of 2600 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 948 wrote to memory of 2600 N/A C:\Windows\System32\WScript.exe C:\Windows\IME\sihost.exe
PID 2600 wrote to memory of 4872 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe
PID 2600 wrote to memory of 4872 N/A C:\Windows\IME\sihost.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\IME\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\IME\sihost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe

"C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\IME\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\swidtag\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\swidtag\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\IME\sihost.exe

"C:\Windows\IME\sihost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15234ff9-bbcb-4579-9fda-e93d30bb2914.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b013b4bb-b03a-4ba4-ac08-5670cf4f0c95.vbs"

C:\Windows\IME\sihost.exe

C:\Windows\IME\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da48e0fc-f022-4033-b910-4729c7b9c20f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc2caa68-021d-4fb2-bc92-19db02bbde9b.vbs"

C:\Windows\IME\sihost.exe

C:\Windows\IME\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b70013c-6727-4b82-9265-3fa9548cc030.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48235334-98bc-48cc-b170-61e59946c04a.vbs"

C:\Windows\IME\sihost.exe

C:\Windows\IME\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7567cb4-16d5-4dff-b4bb-bb84e6e28a7f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcac7a25-e525-42fb-87d0-bad48b43bcb8.vbs"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:8

C:\Windows\IME\sihost.exe

C:\Windows\IME\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94e6685f-aa57-4d24-9a3a-e4862051ea63.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c64d213-d109-470c-b1a5-f4ebaec1a296.vbs"

C:\Windows\IME\sihost.exe

C:\Windows\IME\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3efcd243-0177-4d7d-89ed-122ed781660d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c13d4804-f98e-4837-85df-14e90c84afc0.vbs"

C:\Windows\IME\sihost.exe

C:\Windows\IME\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e47e9233-795b-4e17-9aac-54f6c06d962e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67a842c9-65c9-44a9-9e03-63f55a2d2296.vbs"

C:\Windows\IME\sihost.exe

C:\Windows\IME\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21442f3d-ae3b-4097-9039-dcde8eb658b0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a29f429e-4d42-4939-9ce2-86d93ef89156.vbs"

C:\Windows\IME\sihost.exe

C:\Windows\IME\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9155a3a-ba96-4998-99c7-f3b012b76dbb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a5418e9-65dc-492f-b816-a8551bc8866c.vbs"

C:\Windows\IME\sihost.exe

C:\Windows\IME\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc19abc5-01c1-4dcd-93fb-918855712286.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\447d858a-acb8-4a4f-828f-f01f7363e6c2.vbs"

C:\Windows\IME\sihost.exe

C:\Windows\IME\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e04fe46-58ee-46b5-b9dd-f868daf08af9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75124d03-8375-4cca-a474-3121e6e88ef1.vbs"

C:\Windows\IME\sihost.exe

C:\Windows\IME\sihost.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 a0917913.xsph.ru udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 6.192.8.141.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
GB 13.105.221.16:443 tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/3652-0-0x0000000000340000-0x0000000000670000-memory.dmp

memory/3652-1-0x00007FFC444D0000-0x00007FFC44F91000-memory.dmp

memory/3652-2-0x000000001B340000-0x000000001B350000-memory.dmp

memory/3652-3-0x0000000000F90000-0x0000000000F9E000-memory.dmp

memory/3652-4-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

memory/3652-5-0x0000000002770000-0x0000000002778000-memory.dmp

memory/3652-6-0x0000000002780000-0x0000000002788000-memory.dmp

memory/3652-7-0x0000000002790000-0x00000000027A0000-memory.dmp

memory/3652-8-0x00000000027A0000-0x00000000027B6000-memory.dmp

memory/3652-9-0x00000000027C0000-0x00000000027C8000-memory.dmp

memory/3652-10-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/3652-11-0x00000000027F0000-0x00000000027FC000-memory.dmp

memory/3652-12-0x00000000027E0000-0x00000000027E8000-memory.dmp

memory/3652-13-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3652-14-0x0000000002810000-0x000000000281A000-memory.dmp

memory/3652-15-0x000000001BA50000-0x000000001BAA6000-memory.dmp

memory/3652-16-0x0000000002820000-0x000000000282C000-memory.dmp

memory/3652-17-0x000000001B310000-0x000000001B318000-memory.dmp

memory/3652-18-0x000000001B320000-0x000000001B32C000-memory.dmp

memory/3652-19-0x000000001B330000-0x000000001B338000-memory.dmp

memory/3652-20-0x000000001BAA0000-0x000000001BAB2000-memory.dmp

memory/3652-21-0x000000001C000000-0x000000001C528000-memory.dmp

memory/3652-22-0x000000001BAD0000-0x000000001BADC000-memory.dmp

memory/3652-23-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

memory/3652-24-0x000000001BAF0000-0x000000001BAF8000-memory.dmp

memory/3652-25-0x000000001BB00000-0x000000001BB0C000-memory.dmp

memory/3652-26-0x000000001BB10000-0x000000001BB1C000-memory.dmp

memory/3652-28-0x000000001BE30000-0x000000001BE3A000-memory.dmp

memory/3652-27-0x000000001BD20000-0x000000001BD28000-memory.dmp

memory/3652-29-0x000000001BD30000-0x000000001BD3E000-memory.dmp

memory/3652-31-0x000000001BD50000-0x000000001BD5E000-memory.dmp

memory/3652-30-0x000000001BD40000-0x000000001BD48000-memory.dmp

memory/3652-32-0x000000001BD60000-0x000000001BD6C000-memory.dmp

memory/3652-33-0x000000001BD70000-0x000000001BD78000-memory.dmp

memory/3652-34-0x000000001BD80000-0x000000001BD8A000-memory.dmp

memory/3652-35-0x000000001BD90000-0x000000001BD9C000-memory.dmp

C:\Recovery\WindowsRE\WmiPrvSE.exe

MD5 1994f3ef2118aeecbb74e6c8976fd47b
SHA1 8f157fc5c2af51db24b66085f29d3c1240be36b2
SHA256 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA512 48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

C:\Windows\IME\sihost.exe

MD5 6ec7dd5d1c82cd6031c2579b6282699e
SHA1 0546c098d69dc312606ab273cbc5dcb928f65453
SHA256 1b0c172d0db46827b918934f88c34e74fa0ffcb79ebead3ea03e26d8f7186580
SHA512 d7050d15ca7c1164bd3a3f61296ea78af19332aa332ea799361da02f35701739234043571a5e5a902f1badbab605e2ca8a7b111c9135d01d5b2aaf5d95aad945

C:\Windows\IME\sihost.exe

MD5 8b2ca5725b53c924f814806bccc73a34
SHA1 f1dacc8df8f52f2fcab15c5c80bcc686c9b08db2
SHA256 e8c2d275a9e46065c470b273039bcca11bc691ed2319d5553237deadfe009370
SHA512 e7f68e0ba90431a07ce952c5199242376eb2424f9b0c396359ed3f9b176b21eb32ea6a7ecfa5ba9a713c03dda0aff0f1f275482f68c7921a4f2d3d3991567318

memory/2824-63-0x00007FFC444D0000-0x00007FFC44F91000-memory.dmp

memory/2824-65-0x0000000001360000-0x0000000001370000-memory.dmp

memory/3652-64-0x00007FFC444D0000-0x00007FFC44F91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\15234ff9-bbcb-4579-9fda-e93d30bb2914.vbs

MD5 c197d86851a27e80e79fa26f2a8cd389
SHA1 74f84aeac26093634d4cc98c8889ca31fa11dc1b
SHA256 0d5316e6762e27563d8efac7420bf6cce53db522899c1d0affeb328904f5bb21
SHA512 2ee24e8465f7e267061aa2889604a9554fec7e6e4edd6e32fbd4edb4fa2b482087f3580c11857c707fe2a69242e3a2483f7de3469cde649f8147c57d6b6ecf63

C:\Users\Admin\AppData\Local\Temp\b013b4bb-b03a-4ba4-ac08-5670cf4f0c95.vbs

MD5 ae69c49a9e4ff35f66476085d64fe9e8
SHA1 71dc96965de06ce02c5de133589e43e318f98c87
SHA256 99d31f720a1169c989bd8b553ee4340b6e7186775d2698dfd4af200b69b11aea
SHA512 2f7cbe5201fa3f524155ab5513a26e3135b73562ff5d70e39ed27c459b50ed7d39225c26c41f79b0934c29ba2ab352b5c6981c058d33353f5f20269c1b4a0279

memory/2824-76-0x00007FFC444D0000-0x00007FFC44F91000-memory.dmp

C:\Windows\IME\sihost.exe

MD5 c27c96535b0354240030124f1b323e48
SHA1 beab51e8d4cd917cb446153f9526a23267e01bac
SHA256 9e4b1d0e68b6ab5e47a7c4a354aed06b8b10d5194f85a7d3c52051e7e65f14ae
SHA512 69072761f6e9cfbfaee03fc7dc62b28087a761b2b278a104a4b8118616725d41bae54449bf89bcb0848847d249f5c466f6bb8cdddb08d9564f93605cac1a8291

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

MD5 caa9da90d9bfc2c0fbadbf7eb57d1aae
SHA1 b0237d1cdb8c7fdb6f89e72475dbfb639c025ed7
SHA256 b5c2348671b5ad62cc02ded41adcf1855341bd6d20706bf45d9d68e4cddd4bbd
SHA512 da20485cf87f6e9b95141dea062188b5a2299ff1e1a7f83446afac0d8b70a2d18d02b60b232b2c9e6af5071906dd08f41cf4637379165c1823a9fa9b82d155d8

memory/2340-79-0x00007FFC44720000-0x00007FFC451E1000-memory.dmp

memory/2340-80-0x00000000012C0000-0x00000000012D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\da48e0fc-f022-4033-b910-4729c7b9c20f.vbs

MD5 758fbc3773cd47b587e18ffe8c5c97c0
SHA1 0be7cd3bad942a91be07bc9c2e6c3a2d54cca6cb
SHA256 af79947f9e91e78051b4983e74fd6163474995c8abb1965f05ada57f87ce7fc2
SHA512 5d74f41bdd9b472ea9414cf4475c8f984e5578b676967561c128b59eb3bb4e6b0cca5a006e06df5979afc367ab4cb4171d972ab9b703fce2d31325fdd94647b2

memory/2340-91-0x00007FFC44720000-0x00007FFC451E1000-memory.dmp

C:\Windows\IME\sihost.exe

MD5 82d45dfd4a00c69ce48efc368d274c6f
SHA1 f7688e639d5f71cc62a602879eb70436f8db095f
SHA256 4a962da9ab8a3e14da476b61239458cb9e134f50812753a6e5992277c6575da4
SHA512 1f2254768fae9c3b46f0ad3ab214f9afb7314de640dc1266faf84ca4242683f3e111a288b9eacff06775b07fe236621b1bf4021d24f2089f220e6eaf8ea4389b

memory/1600-93-0x00007FFC44720000-0x00007FFC451E1000-memory.dmp

memory/1600-94-0x000000001BF60000-0x000000001BF70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7b70013c-6727-4b82-9265-3fa9548cc030.vbs

MD5 7b0d75ad5be2ae9635155b3d693acb02
SHA1 f1114fbad4e3333bea3b6054eece870391141332
SHA256 b1680b8abac818b72e8ac595f812290b9699464118984ccdbfa62f155c3b1a8c
SHA512 8ab2175a32f50320c722577e5a9f33f912d4baa6545a73bc26c1ffb4e3f7478f6a24df15a06a032fe3a001ca08f92adab0cc4db0bbee86346d1c431000b41e6f

memory/1600-105-0x00007FFC44720000-0x00007FFC451E1000-memory.dmp

memory/5100-107-0x00007FFC44720000-0x00007FFC451E1000-memory.dmp

memory/5100-108-0x0000000001750000-0x0000000001760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b7567cb4-16d5-4dff-b4bb-bb84e6e28a7f.vbs

MD5 9aa99fa17b336b4e99388fde3a93c1a1
SHA1 169503477daecc8aeccd1f7f466e50539603a6e8
SHA256 c755cd395df9622480553e93ace749ce01287cad92d9fa8714e9827df5ed35eb
SHA512 57fd634b84c150d637b87f0447db6530600287db61dbdabb5464244ba9aba05b50ff586e7212033c592227411c9c123e20a3e2585d19ca69a5b1bd2738b40cdc

memory/5100-119-0x00007FFC44720000-0x00007FFC451E1000-memory.dmp

memory/736-121-0x00007FFC44720000-0x00007FFC451E1000-memory.dmp

memory/736-122-0x000000001B980000-0x000000001B990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94e6685f-aa57-4d24-9a3a-e4862051ea63.vbs

MD5 e848b08fb6632d8ab39cd172d89ddafd
SHA1 48f5fc9c617dac5c9440cb4a0793284cfc3598c7
SHA256 348fbde7951db51755b40c388eb69d0f4d299fde542009fdb674ab7874e63002
SHA512 6f9ab508685569c1a9bc54d9f9601b5008db2d7a98cac3b1e55bc5f41f9343e89a5a70d48e8b007005fba1ec895f8326b5e85fe20522422437f6b2d6afec045e

memory/736-133-0x00007FFC44720000-0x00007FFC451E1000-memory.dmp

memory/1004-135-0x00007FFC44720000-0x00007FFC451E1000-memory.dmp

memory/1004-136-0x000000001BF70000-0x000000001BF80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\721f9b048f73638b90e5a081c86a3cfb90a41d4d.exe

MD5 b0d37d80f38c5a9b2c6bbd82cbe9b02f
SHA1 023ea65c16cbdb86648c06b257473f267b9dced4
SHA256 d2c34cafaecb5326c0d7128a5f2ccf3fe8694675579aa5b81caef4549d591952
SHA512 f151bd0db69a63b2b6a7d9ab2bac2a13b96508240b7c2e3db9a9773ed24eede1d9d62c33355db3d282d56bbe2aac9fdb8396226ded09d92f3fb8818f446a8929

C:\Users\Admin\AppData\Local\Temp\3efcd243-0177-4d7d-89ed-122ed781660d.vbs

MD5 932dd01f505d029a58bd9ad1b5702500
SHA1 413833da9a3a209cd00166525ed4b8679ae47114
SHA256 80933d16c707bc8b93bd7ec4bec57ba1b3bd53195b992acc93a0b95ec4a4b43a
SHA512 de00c156fea8e8152120f22a978c1053f95b55d5a5ca88f97ea65732b9cbc0081b10c59fca50f6664d01aa689fc2d69983488091241405d326e1954afb3a9abb

memory/1004-147-0x00007FFC44720000-0x00007FFC451E1000-memory.dmp

memory/800-149-0x00007FFC44720000-0x00007FFC451E1000-memory.dmp

memory/800-150-0x0000000002650000-0x0000000002662000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e47e9233-795b-4e17-9aac-54f6c06d962e.vbs

MD5 887014ce5b8fc69f95c890e9b277e6bd
SHA1 fcec44c84571ebf765f190280f32ec070c7d0e14
SHA256 619ef7b684ef1e825512678c6f5abb9c2a067d6912d6d4d3582ec24d3dc2abe1
SHA512 b6323b809ac900663dab28fe799ae188d9cc27b02cf37bfbc3acb4f8379bc48decd4a492ae777ff50b0147853a1a067cbd07e73d1c9dcbe29fb4b365d95da31d

memory/800-161-0x00007FFC44720000-0x00007FFC451E1000-memory.dmp

memory/1816-163-0x00007FFC448E0000-0x00007FFC453A1000-memory.dmp

memory/1816-164-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

memory/1816-165-0x000000001BC50000-0x000000001BC62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21442f3d-ae3b-4097-9039-dcde8eb658b0.vbs

MD5 1be80a536ae16237e66690e5ef8dd013
SHA1 5c7cd5fc2ac83592b41d985ad5a0c01049115458
SHA256 a1a70a21d8e636ef1a39a3b29a1528a3d49f39a89921e34b62ca2770decd0c9f
SHA512 f1a928a7576ffa67f1340736366eb8b5f17d6501bf3aecb6656bf5f3ddca7c5d14ba452f99d3124d06b6a46fcc428ad076e05fe5c2b776d1f5a6fe64cff04600

memory/1816-176-0x00007FFC448E0000-0x00007FFC453A1000-memory.dmp

memory/5032-178-0x00007FFC448E0000-0x00007FFC453A1000-memory.dmp

memory/5032-179-0x000000001B5B0000-0x000000001B5C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9155a3a-ba96-4998-99c7-f3b012b76dbb.vbs

MD5 e4b3252bfc8a732ba543e0316a2b48f6
SHA1 4b26183a81e3215db513a21ccc8ea1463422cb2a
SHA256 06cabbdde4774fa04fc6d2620dfc43c75a3cf2191a597d6dda706e485dd6b314
SHA512 ec01ef6b2a09f359db463f46bc98cc7f1ca0521936d72e5d98b0d16c5eebeeb67d461930504d007d8a9da61aa56c3b4ddecd53e6b20680c1b062b4e0f82a6f62

C:\Users\Admin\AppData\Local\Temp\dc19abc5-01c1-4dcd-93fb-918855712286.vbs

MD5 c620990b01cfffcd2b1c5440fd42a88c
SHA1 dacb204296f1e3dd7cbdd5813f7596a8718eacb3
SHA256 2e31b33e3b28ed7a3d49a92301b3a8f9868970c8bb6ac1b9be8a1101ded3c287
SHA512 6fe3bc58bcaef072b51c9959fc161e7832ec5839bf6b80b3bc4cd7512d15643574c357fb84f66522278d1093d8dc19bacc5139f5e6b447b8802d02a9244f06ac

C:\Users\Admin\AppData\Local\Temp\3e04fe46-58ee-46b5-b9dd-f868daf08af9.vbs

MD5 bd108ac39a6242efc9fb010349bec6fd
SHA1 3bac999a0d5f9cf64edc63a09cc73ba6e70ab759
SHA256 645e20c335b9932fd3a6545f29949dbd153a8117bba54e4951ec128fd8ca2127
SHA512 c4886037f151a89dc0f01cf690677076d5f0d50f3113e70efb7d6b96afadd18acad02274d09d414899bc5c1033e5127458625ffeccecc4e0d6e3216e11008afe

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-24 14:46

Reported

2024-03-24 14:48

Platform

win7-20240221-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Services\csrss.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\wininit.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files\Windows Defender\csrss.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Internet Explorer\it-IT\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\56085415360792 C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Google\Update\Offline\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\1994f3ef2118aeecbb74e6c8976fd47b.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Google\Update\Offline\services.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Windows Media Player\it-IT\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files\Common Files\Services\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files\Windows Defender\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\5d3a782401ab58 C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Boot\Idle.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Windows\schemas\wininit.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File opened for modification C:\Windows\schemas\wininit.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Windows\schemas\56085415360792 C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Windows\ServiceProfiles\lsass.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Windows\ServiceProfiles\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 2676 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 2676 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 2568 wrote to memory of 1892 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2568 wrote to memory of 1892 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2568 wrote to memory of 1892 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2568 wrote to memory of 1752 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2568 wrote to memory of 1752 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2568 wrote to memory of 1752 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1892 wrote to memory of 1992 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 1892 wrote to memory of 1992 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 1892 wrote to memory of 1992 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 1992 wrote to memory of 592 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1992 wrote to memory of 592 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1992 wrote to memory of 592 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1992 wrote to memory of 1096 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1992 wrote to memory of 1096 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1992 wrote to memory of 1096 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 592 wrote to memory of 1860 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 592 wrote to memory of 1860 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 592 wrote to memory of 1860 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 1860 wrote to memory of 2536 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1860 wrote to memory of 2536 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1860 wrote to memory of 2536 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1860 wrote to memory of 2656 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1860 wrote to memory of 2656 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1860 wrote to memory of 2656 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2536 wrote to memory of 2936 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 2536 wrote to memory of 2936 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 2536 wrote to memory of 2936 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 2936 wrote to memory of 2036 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2936 wrote to memory of 2036 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2936 wrote to memory of 2036 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2936 wrote to memory of 2680 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2936 wrote to memory of 2680 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2936 wrote to memory of 2680 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2036 wrote to memory of 1476 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 2036 wrote to memory of 1476 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 2036 wrote to memory of 1476 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 1476 wrote to memory of 2308 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1476 wrote to memory of 2308 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1476 wrote to memory of 2308 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1476 wrote to memory of 1940 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1476 wrote to memory of 1940 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 1476 wrote to memory of 1940 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2308 wrote to memory of 2652 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 2308 wrote to memory of 2652 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 2308 wrote to memory of 2652 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 2652 wrote to memory of 2848 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2652 wrote to memory of 2848 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2652 wrote to memory of 2848 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2652 wrote to memory of 1232 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2652 wrote to memory of 1232 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2652 wrote to memory of 1232 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2848 wrote to memory of 2560 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 2848 wrote to memory of 2560 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 2848 wrote to memory of 2560 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe
PID 2560 wrote to memory of 2208 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2560 wrote to memory of 2208 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2560 wrote to memory of 2208 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2560 wrote to memory of 2716 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2560 wrote to memory of 2716 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2560 wrote to memory of 2716 N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe C:\Windows\System32\WScript.exe
PID 2208 wrote to memory of 2732 N/A C:\Windows\System32\WScript.exe C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe

"C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\schemas\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\schemas\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Offline\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\Offline\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Acrobat\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Acrobat\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1994f3ef2118aeecbb74e6c8976fd47b1" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\1994f3ef2118aeecbb74e6c8976fd47b.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1994f3ef2118aeecbb74e6c8976fd47b" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\1994f3ef2118aeecbb74e6c8976fd47b.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1994f3ef2118aeecbb74e6c8976fd47b1" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\1994f3ef2118aeecbb74e6c8976fd47b.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

"C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\114f6a21-7494-4334-8074-77afa40c308e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d8062ef-78ba-4bf9-86a7-d3d807d11357.vbs"

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aabf0ab-2ca8-4e25-9e90-fd6359e0ce4e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c646af0-a85d-4c51-80d3-efd1ec323331.vbs"

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3276c21-a30b-480f-b54f-4854570b9b51.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55968cf4-b7c3-4757-8ccd-92ab406f18fc.vbs"

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78dd1a97-3ac8-4cc1-8f52-8615fffd81a1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0df75ae-27fe-4fed-8cef-ce67e8e60432.vbs"

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\650f3208-2d92-41fa-96f3-520d311947f0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f5e63ea-683c-4d09-9c47-0e828b4c152b.vbs"

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1a49d39-dce3-4f3a-bdbc-b647d87d8d6d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0c4dbd5-da1b-4890-9e41-152744547ea3.vbs"

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d3ea02f-765c-4bcb-a91b-73c8b711f941.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57a51dcd-c12d-4d29-8c60-595d3441931e.vbs"

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\109399d3-78ce-4cb5-bca2-09e3541df3ae.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45f7fb4b-c75e-405d-a081-ffd2ead2119e.vbs"

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfa59f44-724d-4e15-87e1-493a539137b7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7601085-0ccb-4b87-b1f9-0c1ddc9f49a2.vbs"

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01196dfb-b8d2-435f-a7bf-fdc36e7d7b1f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bed549e-638a-4ba2-9792-bccf9ae0fb92.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0917913.xsph.ru udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp

Files

memory/2676-0-0x0000000001390000-0x00000000016C0000-memory.dmp

memory/2676-1-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

memory/2676-2-0x000000001B120000-0x000000001B1A0000-memory.dmp

memory/2676-3-0x0000000000210000-0x000000000021E000-memory.dmp

memory/2676-4-0x0000000000490000-0x000000000049E000-memory.dmp

memory/2676-5-0x0000000000620000-0x0000000000628000-memory.dmp

memory/2676-6-0x0000000000630000-0x0000000000638000-memory.dmp

memory/2676-7-0x0000000000C00000-0x0000000000C10000-memory.dmp

memory/2676-8-0x0000000000C10000-0x0000000000C26000-memory.dmp

memory/2676-9-0x0000000000C30000-0x0000000000C38000-memory.dmp

memory/2676-10-0x0000000000D60000-0x0000000000D72000-memory.dmp

memory/2676-11-0x0000000000C40000-0x0000000000C4C000-memory.dmp

memory/2676-12-0x0000000000C50000-0x0000000000C58000-memory.dmp

memory/2676-13-0x0000000000D70000-0x0000000000D80000-memory.dmp

memory/2676-14-0x0000000000D80000-0x0000000000D8A000-memory.dmp

memory/2676-15-0x0000000000D90000-0x0000000000DE6000-memory.dmp

memory/2676-16-0x0000000001360000-0x000000000136C000-memory.dmp

memory/2676-17-0x0000000001370000-0x0000000001378000-memory.dmp

memory/2676-18-0x0000000001380000-0x000000000138C000-memory.dmp

memory/2676-19-0x000000001AAC0000-0x000000001AAC8000-memory.dmp

memory/2676-20-0x000000001AAD0000-0x000000001AAE2000-memory.dmp

memory/2676-21-0x000000001AB00000-0x000000001AB0C000-memory.dmp

memory/2676-22-0x000000001AB10000-0x000000001AB1C000-memory.dmp

memory/2676-23-0x000000001AB20000-0x000000001AB28000-memory.dmp

memory/2676-24-0x000000001AB30000-0x000000001AB3C000-memory.dmp

memory/2676-25-0x000000001AB40000-0x000000001AB4C000-memory.dmp

memory/2676-26-0x000000001AB50000-0x000000001AB58000-memory.dmp

memory/2676-27-0x000000001AB60000-0x000000001AB6A000-memory.dmp

memory/2676-28-0x000000001AB70000-0x000000001AB7E000-memory.dmp

memory/2676-29-0x000000001B030000-0x000000001B038000-memory.dmp

memory/2676-30-0x000000001B040000-0x000000001B04E000-memory.dmp

memory/2676-31-0x000000001B050000-0x000000001B05C000-memory.dmp

memory/2676-32-0x000000001B060000-0x000000001B068000-memory.dmp

memory/2676-33-0x000000001B070000-0x000000001B07A000-memory.dmp

memory/2676-34-0x000000001B080000-0x000000001B08C000-memory.dmp

C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe

MD5 1994f3ef2118aeecbb74e6c8976fd47b
SHA1 8f157fc5c2af51db24b66085f29d3c1240be36b2
SHA256 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA512 48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

memory/2568-77-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

memory/2676-78-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

memory/2568-79-0x000000001AE50000-0x000000001AED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\114f6a21-7494-4334-8074-77afa40c308e.vbs

MD5 86ab4d9e0324a2786e7414727ce64a76
SHA1 91c0d4e4329a4cb2dc01dc83dee3dd7aad4e402b
SHA256 7c45823b68ed04358ed04adca57f340afe1d483648349fa58f1c98d511806d33
SHA512 f163de95bcaf3d26414c7c226424f1a44a7108a61d84b0c9b188ab684b9808316d8df53d729150c93463d50e33de58cc16966d8d147ec75fa8d116075dfb5b66

C:\Users\Admin\AppData\Local\Temp\6d8062ef-78ba-4bf9-86a7-d3d807d11357.vbs

MD5 817b1cccd60b9a12641d5e89d22983fa
SHA1 27c93b7eb31bbb6f944635795e10966f5e04213c
SHA256 852f4463efbe49f9f2181c83d1142359f6ab212727f70ec8d810a6b64c545058
SHA512 0f9563b9f91f262a87e346682dbd5db3749c830d9f69fec0e9d64bcd8f7b656d71442afd97fc27233670502e41f8e114255c253b26b9c755c2674b5fb3066b97

memory/2568-89-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

MD5 35d97d3770b9081228c1c11884ccb193
SHA1 d2f807f3cebf4338aaa99426b6d7f09d337493c8
SHA256 8a01c02e878894b6fa1fd57fd61abf9f43f8e85a572218f9f08574fa76c5d4eb
SHA512 df5bf9f3cc64ecf1ed04f4ce5fd235f5d90db0e0c67c3ef62fa34cbaaa1851b2f4db09f292b7e32b73709be2847cb83601f28212a1861a60d722289e09b57b98

memory/1992-91-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

memory/1992-92-0x000000001AF90000-0x000000001B010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0aabf0ab-2ca8-4e25-9e90-fd6359e0ce4e.vbs

MD5 b4f6ad5e5ef28dca36d075c4d7027e82
SHA1 15fff1f951c0d1211223a0db25213bc58099dd30
SHA256 200be860975db79d2eb31466870d1f6bb040f382416cc9d56cf095099a6df870
SHA512 65da3b542f00b58003b196063344428eeb1889fa1a4ebfc02e10b13e8f888d8eed54c40b2067b3fa4261491aa9d0919145075c8ac983d0b748f39d2e03fb5580

memory/1992-103-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

memory/1860-105-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

memory/1860-106-0x000000001B200000-0x000000001B280000-memory.dmp

memory/1860-107-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c3276c21-a30b-480f-b54f-4854570b9b51.vbs

MD5 9009b7d6171a0ea8146e296b7c83eb21
SHA1 99621d9fc21c0707d74cfe985fea9d403005158e
SHA256 8fef1fd376340f2f1c9e0851e9306e3e73dc5384aaf329347a680656987cdd7a
SHA512 f21505edd15d3937c5fd48a604584ac84c761ec33f2c1921f3f65d8bbb53ffa2b041b1c06309dc21b5984b8143ded3935698043d35d181880685801ec1172b99

memory/1860-118-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

memory/2936-135-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

memory/2936-136-0x0000000000650000-0x0000000000662000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\78dd1a97-3ac8-4cc1-8f52-8615fffd81a1.vbs

MD5 4c84ea20314ff32ecd06a47f1ff7824c
SHA1 4cc0156643924f0c0b9eef8055801433c41cf90d
SHA256 e046cc83badecf4899984d914fca570a4a5b1d6cf00966e81b8f0bf22b54723a
SHA512 5be128874bbac2fd502f71849d175a57accce63f0cb15e6132a22783730b194e6e3b37bb8ccf05d9b7fe82e0c0748da045f863e3fc8f8c046e55c3c79c79c2a4

memory/2936-147-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

memory/1476-149-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

memory/1476-150-0x000000001B6A0000-0x000000001B720000-memory.dmp

memory/1476-151-0x00000000004D0000-0x00000000004E2000-memory.dmp

memory/1476-152-0x0000000000620000-0x0000000000632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\650f3208-2d92-41fa-96f3-520d311947f0.vbs

MD5 02e08fa91fcbf7b5df964fb8a284ab8c
SHA1 783e2f22c46fd89591622c044b1f64f52081dedc
SHA256 beeb9afd03e84713e6d5ad1500f513ebf0a309da22b765d0ff6d11361dd064f1
SHA512 4d3ca10c987f032c52464c899b3637f13f477ce88a2223104546e99cd84a82113ee85ff7d7fa05d333c66d0f2f76955c0e07acfeec6ff4838936342a9e6e1c40

memory/1476-163-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

MD5 10351094464ff5a8cec8d7ab586cc198
SHA1 59e091db9170a890882f347d376f77cd26b57b53
SHA256 2cd34c1d385c590fcd7a314fbf6931b20f2e35bc8307a26e7377ea8bd5497c14
SHA512 bf0a8d5aa65e51abedc206d10b6fb0941d2ebd18638a4405cd33c927454c3f74307667ddb927258ffe561c5c65fbffcc5763423284a80281714048987ebd3962

memory/2652-178-0x0000000001380000-0x0000000001392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83b6ec00b35ef4fdd3e2dec6a5f2845fc0178322.exe

MD5 9c554caca3712db2ad77e1a7cb574921
SHA1 de05ba74f605e2b8054545d80a2d3a21dbe99c75
SHA256 a3e3805944e87b75326a843ea6c70c52abbded32b3baef936c8fd5e65c7353ad
SHA512 65d4abd141e641bf40eed7f7bc977352afe5cef8e030a60787aec90b3f21e8f8eaf7e196b4c0c04c4a4ff580eb3f74ac049f9775ef04ada59c526bc9aae51f2c

C:\Users\Admin\AppData\Local\Temp\c1a49d39-dce3-4f3a-bdbc-b647d87d8d6d.vbs

MD5 7b751d2f8958686f4fceb031afaf331e
SHA1 3f672fc64bb6904435c854413a63dfd3e0d8d1a8
SHA256 22f9ae24ca945b82589c6d3fc23127962a51c6dcb9eff9b114bc76058eadeae3
SHA512 30f9d9361c97da2e3ca46fae88b4ac64de3cf157a530f7974f0d3fbacc800572006a46593656df5e6d5075d830f5cdd67adf6a57ed3c0f1e102cf479e009eabf

memory/2652-189-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

memory/2560-197-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

memory/2560-202-0x000000001B000000-0x000000001B080000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6d3ea02f-765c-4bcb-a91b-73c8b711f941.vbs

MD5 ed95df099d614670df725b0430e3a6ce
SHA1 18a2b08f3cb7b4b11605e59a717a6f14e9e2035d
SHA256 1d8a555741df16a940c792954c36b5503e577ab4cfc6916095c170da88998e63
SHA512 c2dde5e187c809f60cbb1e25211c7ff14bd2de1b132b6f5862d2606348092a95495491401d8a3df271d3e40667fd9430ad0e8d3749c32495059a6b71ba05f57f

memory/2560-203-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

memory/2732-205-0x00000000003D0000-0x0000000000700000-memory.dmp

memory/2732-206-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

memory/2732-207-0x000000001B330000-0x000000001B3B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\109399d3-78ce-4cb5-bca2-09e3541df3ae.vbs

MD5 1e793a217e27feb8c28e54428c6acdf4
SHA1 127fbec65344c4fc9bfbac54905a663dfcdf6a38
SHA256 d4aeb506948864d0723e9d740d694d3d14817d2df0c5133c2f3252875abaa252
SHA512 e6cb8cac037246191f99f1f0d1e4cee7771a0fefb3a63e9e1d312be64d004f4eb13d218a6ee49d1463efb753c4bff8a6fab07f8ff656a40f887a9f31cecba690

memory/2732-218-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

memory/1748-220-0x0000000000BA0000-0x0000000000ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83b6ec00b35ef4fdd3e2dec6a5f2845fc0178322.exe

MD5 8030330e60bec6185afed4e67a094036
SHA1 a6b170ae88b4051846ccab1b1a3892c6099ef13a
SHA256 85e2ddde0bc6481027b6a58de55fa339696e1faa5e0810e0e8babde62a8a8534
SHA512 0fe1964f31af7c1cfdc3276fff4ef8d1649a7f570599d4c6a82030c7a49c81461585b5848afc42dff5bb77aa44a98bbb29f7d781caf6c34c8f0fdf2e0ef91502

C:\Users\Admin\AppData\Local\Temp\dfa59f44-724d-4e15-87e1-493a539137b7.vbs

MD5 4ed06989d56ef0235b5162584d532aab
SHA1 b8a3a00f02f045b38c322df199278f50a7877810
SHA256 a84c7a632357b0f577f1f3e3ddd9975a2f0f8b46799fb8e95333d960f469d4ef
SHA512 ff8e54c84c7622bbd83e1145335a98176b721d4ee737ab5091b670008eab2ec7473bde196b9cc5ff6be04561002fb339230a3b917dcdf936f71a4c397c2149aa

C:\Users\Admin\AppData\Local\Temp\01196dfb-b8d2-435f-a7bf-fdc36e7d7b1f.vbs

MD5 6dd696f9085432fda768a0033f9661ca
SHA1 acb7102e9fff04900d94169622a73f2a16aca22d
SHA256 50872a4afa4768b4e5fee4d738aa6360c90a61c992680c5e09d56e0ba7745687
SHA512 c2526c5e1ccb6a1e1b0f9687ba2cee261d65045971ed7c1713cebd718de5a6c377adebff55f529db886f4b05f44ba6f912aa9526de8a18973efa1d2e21b4cb2a