Malware Analysis Report

2025-06-15 19:46

Sample ID 240324-r6rmwaga8y
Target 1994f3ef2118aeecbb74e6c8976fd47b.exe
SHA256 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c

Threat Level: Known bad

The file 1994f3ef2118aeecbb74e6c8976fd47b.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

Dcrat family

DcRat

DCRat payload

Process spawned unexpected child process

UAC bypass

DCRat payload

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

System policy modification

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-24 14:48

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-24 14:48

Reported

2024-03-24 14:51

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Music\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Music\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Music\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Music\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Music\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CSC\v2.0.6\dllhost.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A
N/A N/A C:\Users\Public\Music\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe C:\Windows\System32\cmd.exe
PID 2120 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe C:\Windows\System32\cmd.exe
PID 2120 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe C:\Windows\System32\cmd.exe
PID 2772 wrote to memory of 804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2772 wrote to memory of 804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2772 wrote to memory of 804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2772 wrote to memory of 2800 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Music\csrss.exe
PID 2772 wrote to memory of 2800 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Music\csrss.exe
PID 2772 wrote to memory of 2800 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Music\csrss.exe
PID 2800 wrote to memory of 2900 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2800 wrote to memory of 2900 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2800 wrote to memory of 2900 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2800 wrote to memory of 2116 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2800 wrote to memory of 2116 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2800 wrote to memory of 2116 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2900 wrote to memory of 1044 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 2900 wrote to memory of 1044 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 2900 wrote to memory of 1044 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 1044 wrote to memory of 1976 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 1044 wrote to memory of 1976 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 1044 wrote to memory of 1976 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 1044 wrote to memory of 2880 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 1044 wrote to memory of 2880 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 1044 wrote to memory of 2880 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 1976 wrote to memory of 1688 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 1976 wrote to memory of 1688 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 1976 wrote to memory of 1688 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 1688 wrote to memory of 2964 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 1688 wrote to memory of 2964 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 1688 wrote to memory of 2964 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 1688 wrote to memory of 736 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 1688 wrote to memory of 736 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 1688 wrote to memory of 736 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2964 wrote to memory of 2256 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 2964 wrote to memory of 2256 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 2964 wrote to memory of 2256 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 2256 wrote to memory of 2656 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2256 wrote to memory of 2656 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2256 wrote to memory of 2656 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2256 wrote to memory of 2132 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2256 wrote to memory of 2132 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2256 wrote to memory of 2132 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2656 wrote to memory of 2320 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 2656 wrote to memory of 2320 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 2656 wrote to memory of 2320 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 2320 wrote to memory of 1036 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2320 wrote to memory of 1036 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2320 wrote to memory of 1036 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2320 wrote to memory of 456 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2320 wrote to memory of 456 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2320 wrote to memory of 456 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 1036 wrote to memory of 2372 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 1036 wrote to memory of 2372 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 1036 wrote to memory of 2372 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 2372 wrote to memory of 2724 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2372 wrote to memory of 2724 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2372 wrote to memory of 2724 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2372 wrote to memory of 2436 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2372 wrote to memory of 2436 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2372 wrote to memory of 2436 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe
PID 2724 wrote to memory of 2960 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 2724 wrote to memory of 2960 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 2724 wrote to memory of 2960 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Music\csrss.exe
PID 2960 wrote to memory of 2260 N/A C:\Users\Public\Music\csrss.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\csrss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe

"C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m5CkcR6d4r.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Music\csrss.exe

"C:\Users\Public\Music\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f7b6709-ed26-4a1c-82fb-31a4d65289cd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaf1188b-9d65-4488-a04a-28dbf6e1dd92.vbs"

C:\Users\Public\Music\csrss.exe

C:\Users\Public\Music\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91f93f14-0adf-4493-91f4-352bef19b4fb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d56f833e-79da-4031-8d9b-47913df4d2c5.vbs"

C:\Users\Public\Music\csrss.exe

C:\Users\Public\Music\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bd31eb5-9fa2-4257-9bc5-a43ac41aa03d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01e17cf7-0f94-448a-98f0-ea331aace60f.vbs"

C:\Users\Public\Music\csrss.exe

C:\Users\Public\Music\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46503802-e186-47cb-b1ef-d2b7be6c7a60.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73302e4f-4598-4b6f-afd2-37618fcf315f.vbs"

C:\Users\Public\Music\csrss.exe

C:\Users\Public\Music\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a027564c-375f-47d9-8b00-9f9c930d55ae.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e4f1e69-41b0-4020-ab97-312ff552da46.vbs"

C:\Users\Public\Music\csrss.exe

C:\Users\Public\Music\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1a856c6-2426-45fb-a758-2d17efdc7c79.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33ad29b9-73a0-4134-9736-caa93061f2f8.vbs"

C:\Users\Public\Music\csrss.exe

C:\Users\Public\Music\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0171763c-71c2-4e3c-8c68-093b64761c5f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aac781cb-cd6e-495a-a362-6483b6795880.vbs"

C:\Users\Public\Music\csrss.exe

C:\Users\Public\Music\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80e37603-dece-4592-a79d-475ca6a1ae73.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2792d07b-8e07-4cbe-bce6-91338e48614f.vbs"

C:\Users\Public\Music\csrss.exe

C:\Users\Public\Music\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23991465-76a0-4f90-82fe-d5aa0fb580a7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84e766a6-9da2-4f8b-abcf-8d2e1fc4092d.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0917913.xsph.ru udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp

Files

memory/2120-0-0x00000000012F0000-0x0000000001620000-memory.dmp

memory/2120-1-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

memory/2120-2-0x000000001B020000-0x000000001B0A0000-memory.dmp

memory/2120-3-0x0000000000140000-0x000000000014E000-memory.dmp

memory/2120-4-0x0000000000160000-0x000000000016E000-memory.dmp

memory/2120-5-0x0000000000170000-0x0000000000178000-memory.dmp

memory/2120-6-0x0000000000180000-0x0000000000188000-memory.dmp

memory/2120-7-0x0000000000680000-0x0000000000690000-memory.dmp

memory/2120-8-0x0000000000690000-0x00000000006A6000-memory.dmp

memory/2120-9-0x00000000006B0000-0x00000000006B8000-memory.dmp

memory/2120-10-0x0000000000C10000-0x0000000000C22000-memory.dmp

memory/2120-11-0x00000000006C0000-0x00000000006CC000-memory.dmp

memory/2120-12-0x0000000000C20000-0x0000000000C28000-memory.dmp

memory/2120-13-0x0000000000C30000-0x0000000000C40000-memory.dmp

memory/2120-14-0x0000000000C40000-0x0000000000C4A000-memory.dmp

memory/2120-15-0x000000001AA60000-0x000000001AAB6000-memory.dmp

memory/2120-16-0x0000000000C50000-0x0000000000C5C000-memory.dmp

memory/2120-17-0x0000000000C60000-0x0000000000C68000-memory.dmp

memory/2120-18-0x0000000000C70000-0x0000000000C7C000-memory.dmp

memory/2120-19-0x0000000000C80000-0x0000000000C88000-memory.dmp

memory/2120-20-0x0000000000D10000-0x0000000000D22000-memory.dmp

memory/2120-21-0x0000000000D20000-0x0000000000D2C000-memory.dmp

memory/2120-22-0x00000000011D0000-0x00000000011DC000-memory.dmp

memory/2120-23-0x00000000011E0000-0x00000000011E8000-memory.dmp

memory/2120-24-0x000000001AAB0000-0x000000001AABC000-memory.dmp

memory/2120-25-0x000000001AAC0000-0x000000001AACC000-memory.dmp

memory/2120-26-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

memory/2120-28-0x000000001AAE0000-0x000000001AAEE000-memory.dmp

memory/2120-27-0x000000001AAD0000-0x000000001AADA000-memory.dmp

memory/2120-29-0x000000001AFB0000-0x000000001AFB8000-memory.dmp

memory/2120-30-0x000000001AFC0000-0x000000001AFCE000-memory.dmp

memory/2120-31-0x000000001AFD0000-0x000000001AFDC000-memory.dmp

memory/2120-32-0x000000001AFE0000-0x000000001AFE8000-memory.dmp

memory/2120-33-0x000000001AFF0000-0x000000001AFFA000-memory.dmp

memory/2120-34-0x000000001B000000-0x000000001B00C000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe

MD5 5d977af1de7ac5402715dddff81a12a2
SHA1 fdfc50ac5ce39020ed56fdb4e5672fda15c1b91d
SHA256 3d898781eaca52631a9d69d2b89aeaf635c80a7dc5bbefb73f33ce8807225cdf
SHA512 cf3cfab3392d8f3c8bd99d56046463d5e39420c81e5c5a757de39368625e98a115ef0e37717a7ce1b4935f7c3683e5ac3c2c2e5a45ea6d5b52328d31a0910fdc

C:\Users\Admin\AppData\Local\Temp\m5CkcR6d4r.bat

MD5 9fce52b43bcdf310b33d5436bb5d8254
SHA1 9934249c831584580ff07726c741ccd289fe9137
SHA256 b9af96e59f43bb912485ed1ce79ac44ffaeb8d29398e29b0c8cac91d828dd835
SHA512 3e1e940c964745c1c034245d3f0e8be6f79734f9831c215cea2b70e6c474119208a1618d32428ed0215cb57fcb9142b75242a493b160625a83308fd2abb6133d

memory/2120-50-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

C:\Users\Public\Music\csrss.exe

MD5 1994f3ef2118aeecbb74e6c8976fd47b
SHA1 8f157fc5c2af51db24b66085f29d3c1240be36b2
SHA256 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA512 48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

memory/2800-53-0x0000000000140000-0x0000000000470000-memory.dmp

memory/2800-54-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

memory/2800-55-0x000000001B1C0000-0x000000001B240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1f7b6709-ed26-4a1c-82fb-31a4d65289cd.vbs

MD5 623875a708dcf5c24ed8fd9c58684441
SHA1 26248abf0c60d2f05089599ea8f5b3e15b3578c4
SHA256 544a80a97015e77ec4d5881ff5bb960724c40779e13c91b7e69b2edb5220bcaa
SHA512 6500d9a9b0d36f95742a4cd3d5c296aa324ee7c1e2c8964760350d4a066816b7e3e1cc85c46b654f77a01bfd6c0b65ebb3d9e8354b94a2e15f6b5d720ace03ea

C:\Users\Admin\AppData\Local\Temp\aaf1188b-9d65-4488-a04a-28dbf6e1dd92.vbs

MD5 fe7b711db3375c6e3eed72e9f3ca29be
SHA1 838103eddd28d21e63bc3223e5336c94b5033d18
SHA256 811349c704937e7c61d8d5e65f317bfbdddca076e7d2af53892842f5835d3a93
SHA512 27d693c92815adf074c863a077d76627d49b0e800f050e754c7af1d65fa806d05f02536cde17b49deeaaf07578b626225aa0ba94ed04daad5c124b0ccc72a308

memory/2800-65-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

C:\Users\Public\Music\csrss.exe

MD5 5ebd26f7b539d06ee26e4335bdad1bac
SHA1 f8013bd49ea6c345395c56f4c373e39fe5b1d2eb
SHA256 7314a4df55312d5b2952c66fdc0ba36c2f5b1dbb3ad88f1dd2ba283c8400696b
SHA512 c343fb3b8c82967042a407d684cdb5968d80446e96d1fdfe9c4e33ca727a26281a2e7cae05a997f4983ecf61e3aec41252b544ef827592d556c4a5ffe76e8e73

memory/1044-67-0x00000000009B0000-0x0000000000CE0000-memory.dmp

memory/1044-68-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

memory/1044-69-0x000000001AF40000-0x000000001AFC0000-memory.dmp

memory/1044-70-0x00000000021F0000-0x0000000002246000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91f93f14-0adf-4493-91f4-352bef19b4fb.vbs

MD5 e55465e1f5470fa61a104860cd89cc75
SHA1 f15aa444e529c3df491fea67e29427acd4ce30c0
SHA256 59c4ddb711a3a7af2511b6514b2af8366b5dec07b8822cc74032bee913ff6938
SHA512 9305dcd66fb029920338a0d3fb1cb48178d2d39a7b3f79c0f1ddaeb7b033465b6b88a2a30964bee98ba94a236f6d5bb07949748a6fa5fd9785f29720fc4e4309

memory/1044-81-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

C:\Users\Public\Music\csrss.exe

MD5 ac56c130b3cd505aa904cb664c9e02c2
SHA1 827416a2efd8ffc642c68c590def694f371ab7a5
SHA256 11727dce2e76fddb955ceff8a25e9ac33b1cb561ebfe03ef4fb3eff3668e0d78
SHA512 2966efd688cb2870659cabbf5b6e9e89c0d4fee032a68e9f7d5c6ca662e03d6e92a40a484824ac69a66a8a198955218c8d93cdeb65536b2ce51a3601595b497e

memory/1688-83-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

memory/1688-84-0x0000000000CB0000-0x0000000000FE0000-memory.dmp

memory/1688-85-0x000000001B470000-0x000000001B4F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2bd31eb5-9fa2-4257-9bc5-a43ac41aa03d.vbs

MD5 2a10cdc0b10eaeeb3502e3e730007357
SHA1 73e930897e56fd3eb5ea961720e7851a1dc8f267
SHA256 e986806f15dbaeebed827e8e9d7d79ad764361e9054e65f1f4116bfcce537c5a
SHA512 822658a479851ff2b5b61cf0357dbe5684f04b197e987d58caa3a9865a53770d1780b936b955a912225340c512aea6f06cdd8a482bfd718cc103406c07e4a4ea

memory/1688-96-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

C:\Users\Public\Music\csrss.exe

MD5 fc95f901144b526106036caf9f1d1ded
SHA1 2ea1694dfd32b9cee3ef3adfe9516d4cc3a3c187
SHA256 bba41fcf986afd98eb026246769343704af4bea6628c48920458d93b7fd8d1b3
SHA512 d5595d34c0f3935c99d4db44fe9757ff6e08505fd3c684732490249471282ba89ce2038dde4226fb4b99af28f1da63601f950e8a75a1564329979097c272dfcf

memory/2256-98-0x000007FEF4E90000-0x000007FEF587C000-memory.dmp

memory/2256-99-0x00000000000F0000-0x0000000000420000-memory.dmp

memory/2256-100-0x000000001B120000-0x000000001B1A0000-memory.dmp

memory/2256-101-0x0000000000C00000-0x0000000000C56000-memory.dmp

memory/2256-102-0x0000000002290000-0x00000000022A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\410f85fb548d2c984bd2c897e2942f934bd742ef.exe

MD5 48051776708f84a234f036308f2d5192
SHA1 6a716f8fbc5d7e03af0c31ccfb994394cf03f3ec
SHA256 85ed7fc997cd5b4d8c71e7ec57f2dbfba233ae06f697bbd89da7d9a8710928fc
SHA512 17f097d9db5aa390552f1635e06c7149f49d9dc0a01177a407c4125e7c0613d281a5572e27a51374c4d76bcf1645875b1e8fba49f3ec3e585fd9b9bf2c2be2da

C:\Users\Admin\AppData\Local\Temp\46503802-e186-47cb-b1ef-d2b7be6c7a60.vbs

MD5 252c61d41fa398c095873e09756ba283
SHA1 83826fe5e96e4efddc9692a21c114ee945b30068
SHA256 4b7b601e1db568b8bbca0d961187e37be34094335f7ccb199de9edb0cf12c17c
SHA512 571b2d7d73ca7986c1109cfd845604035ee170ca90404b5aea5f1ee9b48e5f082d4f51cfbfa4e4ba7d42d670de8c75c69d004b8688075887d10b4fce59b3b507

memory/2256-113-0x000007FEF4E90000-0x000007FEF587C000-memory.dmp

memory/2320-115-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

memory/2320-116-0x0000000001090000-0x00000000013C0000-memory.dmp

memory/2320-117-0x000000001B350000-0x000000001B3D0000-memory.dmp

memory/2320-118-0x0000000000730000-0x0000000000742000-memory.dmp

memory/2320-119-0x0000000000BA0000-0x0000000000BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a027564c-375f-47d9-8b00-9f9c930d55ae.vbs

MD5 d221fe1e201163ddab222a64cbb41c6d
SHA1 07f9e9cabd4261e8ac397aa88b04500efcb8229a
SHA256 3fe736fde458ca914507633c3915889da9c1c48e8454f690f91c5254754331fb
SHA512 653802b8148583be20ccc8bd23e737bf5a0f03df640862452672cf0b6b5272e2c60c9627e8b762051b4b96e88aae81dc157082a53ab74d220477bc73a6c11e43

memory/2320-130-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

memory/2372-132-0x000007FEF4E90000-0x000007FEF587C000-memory.dmp

memory/2372-133-0x000000001B130000-0x000000001B1B0000-memory.dmp

memory/2372-134-0x0000000000B80000-0x0000000000B92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a1a856c6-2426-45fb-a758-2d17efdc7c79.vbs

MD5 40deae23d3a781cb3a37dfa5cb77cc4f
SHA1 247bb1e999fc29cd7b3e87b8ce468bc269ca8e69
SHA256 e6ae65cfe41b3484441edfb26e103f22b6fa811776e3212f1519df5c526fc82a
SHA512 79b731a0a81cad04caa924e3a523c9e08c846688d9b746d8e9f52dff453a6f609a69787135d5819f9ca9d1abc706d3afad441a9be6b1a710dd5739f14823d1ee

C:\Users\Public\Music\csrss.exe

MD5 bddd5acbddb8b9715cb56d46233233e7
SHA1 94ffc545aaf1016278c404e8bec4185139c521c5
SHA256 3d7bc27bf8322a5eecf47af5457c346cbb4a8d7e141c0805f49aab1db2aee0dc
SHA512 0b568545a946f30c7186d7958acfe4da7ed58f151d3ba457aadc1db0bcb9452201f25f1f56cfae9895f2e27ed2cfb92a0178e841928dfb7e715a3ce33c95c86c

C:\Users\Admin\AppData\Local\Temp\0171763c-71c2-4e3c-8c68-093b64761c5f.vbs

MD5 69b47ad32b17a5aa3f8cbf97a783f793
SHA1 e9c9a241db674722f3fce428c363a4fef410ff67
SHA256 d383ea5769393921e31a79e7ce62d867936e28bd7d65f3ae994e877fef85ff41
SHA512 e21e41a7e68f3aa1dc9e4eb515486fbe456a3fae5c04b233737140fb4b214547ed7893bf5fb82c5e2ede47b0ce0848269b3dceb331b3be1ea869e27a34fab1f6

C:\Users\Admin\AppData\Local\Temp\80e37603-dece-4592-a79d-475ca6a1ae73.vbs

MD5 a21ea52236846f21a9b6e74fa734273c
SHA1 fbc01a5eea85183d0d364b3183fe27f0a623ec65
SHA256 7104d42f6340760c8f4fd9fd6c9cfa95c7fcea42e0b0afbf9d288e84fbf230b7
SHA512 e79684ea4c0863c4a9a0eca363ea4f1613feaa894cc9c56c575cd2db55faaa047109651d2dcf291e86c487857ff07c36d74d4ce3178e04c2d3d258899f65febb

C:\Users\Admin\AppData\Local\Temp\23991465-76a0-4f90-82fe-d5aa0fb580a7.vbs

MD5 360c1ebda4c34c06a42a9aa66954e23d
SHA1 e18ef1ad5e07c502939849aa7fb023b0028a53d9
SHA256 bd117e88922596178bd06dbfcc1a4cc66057241cbc49aa7c213a05a39298fb5b
SHA512 e4faa57ed974f0bc685f531765793cf87931b3bd2fe787d2959f549a63f1ac1f2ec6b4c7b258f47993ece4be24efcb082eddab72429e822519f41fc9f4e10e34

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-24 14:48

Reported

2024-03-24 14:51

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\en-US\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Internet Explorer\en-US\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files\7-Zip\Lang\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files\7-Zip\Lang\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Panther\setup.exe\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Windows\System\Speech\explorer.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
File created C:\Windows\Panther\setup.exe\winlogon.exe C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3720 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe C:\Windows\System32\cmd.exe
PID 3720 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe C:\Windows\System32\cmd.exe
PID 3888 wrote to memory of 4324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3888 wrote to memory of 4324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3888 wrote to memory of 836 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 3888 wrote to memory of 836 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 836 wrote to memory of 4848 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 836 wrote to memory of 4848 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 836 wrote to memory of 2132 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 836 wrote to memory of 2132 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4848 wrote to memory of 4296 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 4848 wrote to memory of 4296 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 4296 wrote to memory of 4800 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4296 wrote to memory of 4800 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4296 wrote to memory of 3976 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4296 wrote to memory of 3976 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4800 wrote to memory of 2748 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 4800 wrote to memory of 2748 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 2748 wrote to memory of 2424 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2748 wrote to memory of 2424 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2748 wrote to memory of 1724 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2748 wrote to memory of 1724 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2424 wrote to memory of 3272 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 2424 wrote to memory of 3272 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 3272 wrote to memory of 5104 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3272 wrote to memory of 5104 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3272 wrote to memory of 4352 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3272 wrote to memory of 4352 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 5104 wrote to memory of 400 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 5104 wrote to memory of 400 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 400 wrote to memory of 4908 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 400 wrote to memory of 4908 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 400 wrote to memory of 3152 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 400 wrote to memory of 3152 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4908 wrote to memory of 3908 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 4908 wrote to memory of 3908 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 3908 wrote to memory of 840 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3908 wrote to memory of 840 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3908 wrote to memory of 2284 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 3908 wrote to memory of 2284 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 840 wrote to memory of 2708 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 840 wrote to memory of 2708 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 2708 wrote to memory of 1944 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2708 wrote to memory of 1944 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2708 wrote to memory of 3512 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2708 wrote to memory of 3512 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1944 wrote to memory of 4564 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 1944 wrote to memory of 4564 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 4564 wrote to memory of 2564 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4564 wrote to memory of 2564 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4564 wrote to memory of 1900 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 4564 wrote to memory of 1900 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2564 wrote to memory of 2280 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 2564 wrote to memory of 2280 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 2280 wrote to memory of 1056 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2280 wrote to memory of 1056 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2280 wrote to memory of 4168 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2280 wrote to memory of 4168 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1056 wrote to memory of 2812 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 1056 wrote to memory of 2812 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe
PID 2812 wrote to memory of 3164 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2812 wrote to memory of 3164 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2812 wrote to memory of 4024 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2812 wrote to memory of 4024 N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe

"C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\odt\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\setup.exe\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\setup.exe\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cQTyHbvxeI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d82d5aa-45d5-4807-9916-e03525769b88.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acc37e4a-4df7-4402-b741-43e6041569cd.vbs"

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12af547c-6d1d-47c9-bb37-707775950d4e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeef1934-9cbc-4e53-9f6e-47ab16da9127.vbs"

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69d89d7a-7d7f-45e6-9c7b-85406d85cfe3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d2eda89-6efa-46e9-8ea6-ad91e7f02229.vbs"

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4855fbf4-6480-4449-ae11-cf91d642e9b3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cb50c54-c2bc-488d-81eb-530e537b80fa.vbs"

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d626d0fb-1c2f-4ce0-9714-aa48bb8f43da.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\234610d0-3143-4929-b184-fbd4359ef01d.vbs"

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f901b504-4e76-4400-b8dc-fd02a73cbbce.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc0ba46b-331d-4c29-86ab-cba3c3f4220b.vbs"

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16ed0cc2-d84e-450f-88db-c7c05a06e2b0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3d42e74-c59e-456b-bf90-a7abb4e658b9.vbs"

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ab1e69f-2f1f-401d-938e-f71bfd6a81cd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0521a46e-267a-4466-9198-ae95eea5129a.vbs"

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5af0a6be-4f61-470c-9af3-d9e879f95f18.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\511dbcf7-6261-4495-bcae-32f8c7d1e554.vbs"

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd8c8fd3-70ad-491b-a007-d682790a8883.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59cfbf42-15d8-4219-b6d8-dde0e5477e4f.vbs"

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d5fdedc-353f-4832-9fd6-594eaec6169c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b32e7722-975d-443b-9f16-895a030b2aac.vbs"

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d16705fd-80b4-4001-9000-eaf5f70a146d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3511aee2-03e2-402d-8c2d-2d50e9aaad2f.vbs"

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d85c7a2e-b8f9-44c3-9be9-bb12676c3c7e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2e18fdc-f38a-4263-966e-482f44ab5aae.vbs"

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\009483e7-25f6-445b-97f6-d52c08f7eae0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f46d3ffb-f327-42d1-bcab-d066b0c99748.vbs"

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 a0917913.xsph.ru udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 6.192.8.141.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp

Files

memory/3720-0-0x0000000000910000-0x0000000000C40000-memory.dmp

memory/3720-1-0x00007FFC13BA0000-0x00007FFC14661000-memory.dmp

memory/3720-2-0x000000001B9E0000-0x000000001B9F0000-memory.dmp

memory/3720-3-0x0000000002E40000-0x0000000002E4E000-memory.dmp

memory/3720-4-0x0000000002E50000-0x0000000002E5E000-memory.dmp

memory/3720-5-0x0000000002E60000-0x0000000002E68000-memory.dmp

memory/3720-6-0x0000000002E70000-0x0000000002E78000-memory.dmp

memory/3720-7-0x0000000002E80000-0x0000000002E90000-memory.dmp

memory/3720-8-0x0000000002FC0000-0x0000000002FD6000-memory.dmp

memory/3720-9-0x0000000002E90000-0x0000000002E98000-memory.dmp

memory/3720-10-0x0000000002FE0000-0x0000000002FF2000-memory.dmp

memory/3720-11-0x0000000003010000-0x000000000301C000-memory.dmp

memory/3720-12-0x0000000002FF0000-0x0000000002FF8000-memory.dmp

memory/3720-13-0x0000000003000000-0x0000000003010000-memory.dmp

memory/3720-14-0x0000000003020000-0x000000000302A000-memory.dmp

memory/3720-15-0x000000001B940000-0x000000001B996000-memory.dmp

memory/3720-16-0x0000000003030000-0x000000000303C000-memory.dmp

memory/3720-17-0x0000000003040000-0x0000000003048000-memory.dmp

memory/3720-18-0x0000000003050000-0x000000000305C000-memory.dmp

memory/3720-19-0x0000000003060000-0x0000000003068000-memory.dmp

memory/3720-20-0x000000001B990000-0x000000001B9A2000-memory.dmp

memory/3720-21-0x000000001C640000-0x000000001CB68000-memory.dmp

memory/3720-22-0x000000001B9C0000-0x000000001B9CC000-memory.dmp

memory/3720-23-0x000000001B9D0000-0x000000001B9DC000-memory.dmp

memory/3720-24-0x000000001B9F0000-0x000000001B9F8000-memory.dmp

memory/3720-25-0x000000001C110000-0x000000001C11C000-memory.dmp

memory/3720-26-0x000000001C120000-0x000000001C12C000-memory.dmp

memory/3720-27-0x000000001C230000-0x000000001C238000-memory.dmp

memory/3720-28-0x000000001C240000-0x000000001C24A000-memory.dmp

memory/3720-29-0x000000001C250000-0x000000001C25E000-memory.dmp

memory/3720-30-0x000000001C360000-0x000000001C368000-memory.dmp

memory/3720-31-0x000000001C370000-0x000000001C37E000-memory.dmp

memory/3720-32-0x000000001C380000-0x000000001C38C000-memory.dmp

memory/3720-33-0x000000001C390000-0x000000001C398000-memory.dmp

memory/3720-34-0x000000001C3A0000-0x000000001C3AA000-memory.dmp

memory/3720-35-0x000000001C3B0000-0x000000001C3BC000-memory.dmp

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe

MD5 1994f3ef2118aeecbb74e6c8976fd47b
SHA1 8f157fc5c2af51db24b66085f29d3c1240be36b2
SHA256 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA512 48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

C:\Users\Admin\AppData\Local\Temp\cQTyHbvxeI.bat

MD5 802e033163d69821a99513883b5658b0
SHA1 e5e824f6ceabcb0fcf6e7fdf4d5832e8a1248c85
SHA256 55c0b7b1df58cdb684173782052cf3b87f4493626ef576b43995727ccd91b5f3
SHA512 b290bf94712c1f0e980cded735dc3e24e6bdd7612d0bac0b3097a21f462f82ab0af83cd371567ccf33455408d3ba1946e5d4077489ce6ad60a39eeec8a69d846

memory/3720-70-0x00007FFC13BA0000-0x00007FFC14661000-memory.dmp

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

MD5 86d7e50391e4806fe5609633525e071e
SHA1 edd3ceada10bdcde88c56746c8ec435f85e46658
SHA256 863057243124f2dcf1a8366886e41226e2b747f9eddbcdd5578f445f41b18aea
SHA512 9c54d91fe4df3fa9d6bd71170f2a5620b7f8c678a40cc35598b1334657c481961255822518b3bbd5cf84d2135c0225686991825cbcf19bc2c599a6c04d92ac4c

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

MD5 0016eafec1d4cb57bb7c1a1feaf1a8d3
SHA1 ee49434cab7bcb04a084386d07b2637201a14193
SHA256 eac7503539af33b83e0bce8a54d10c2f46d3e2bc190aad4d5914b26f3bc1c392
SHA512 621930cbd2bf8c218717e699a34bc81179d2a4a0f3c6731fa65a8f747cd910d296746046570bc583cc991162e17a76a3eb58485c962139d73dbed108f4572a51

memory/836-74-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

memory/836-75-0x000000001B980000-0x000000001B990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8d82d5aa-45d5-4807-9916-e03525769b88.vbs

MD5 5e4850cb05206a2df1723d896baa8833
SHA1 f95848994124d4a12cd717eba12c36d998cd1595
SHA256 41ec6997ca8b2b749ed0c49294351f77570dd96c7327e5aeb1581a4fb26a0937
SHA512 cf028b6f186112a74b84bbe63c65bdef6f304a6be43794723a0fe9bcde186ed0a4a198e852a12b7c8397133d9394ebeecd69d79f9ec9283053ddadd807f1ed42

C:\Users\Admin\AppData\Local\Temp\acc37e4a-4df7-4402-b741-43e6041569cd.vbs

MD5 bd2810464d4f16be36c4b29dbccbf59d
SHA1 91f8241bf8b21e959b23c5deac9fffa35a5c38a0
SHA256 d392ee756d3d81c0419cebff8302f7dec199efe7f179976755852193bea1e232
SHA512 9f135dc93d9d54451ba965773beb2c2c075cbbf45341d1604a6e3ef1aaa3f9b056df78d091c6d2ad8237284d8685e073e1a95462670cff9b1519a7bd3df3f955

memory/836-86-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

MD5 caa9da90d9bfc2c0fbadbf7eb57d1aae
SHA1 b0237d1cdb8c7fdb6f89e72475dbfb639c025ed7
SHA256 b5c2348671b5ad62cc02ded41adcf1855341bd6d20706bf45d9d68e4cddd4bbd
SHA512 da20485cf87f6e9b95141dea062188b5a2299ff1e1a7f83446afac0d8b70a2d18d02b60b232b2c9e6af5071906dd08f41cf4637379165c1823a9fa9b82d155d8

memory/4296-89-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

memory/4296-90-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\12af547c-6d1d-47c9-bb37-707775950d4e.vbs

MD5 6958c61f6851698e8099cd0d3550e3de
SHA1 0ca86563a21078dc365aabda909b8cb3a19f5f52
SHA256 bc352647a4880304bcef4cbb562916b09852abcffea1aeb34e9b83b6d5f4fcc1
SHA512 02089be90e6b8c2fc199fa31fae3ef5d16c2b5a483ec4a519977cf3519642e74d0102f347975cbdc753417cfc7040fdacf3ce7606f8f31f3acc9df42c4e4c54f

memory/4296-101-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

memory/2748-103-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

memory/2748-104-0x000000001B060000-0x000000001B070000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\69d89d7a-7d7f-45e6-9c7b-85406d85cfe3.vbs

MD5 e14f9f0df9bc185250e91f59453d7817
SHA1 bee851bc19586acad00caa30082f28d1db1a4e1a
SHA256 69914e2cd0c232c2e0da6ea10796164dd8bd45833864dd26319cd196d5e7bdc8
SHA512 66c9b82c0842008bb30c42a49f0e87886e2a60ff7bdf8577b2e54fc8c14ae2630533810331779a32036d4ffe20b766a981f9eb070a5091250cf27af606ef3771

memory/2748-115-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

memory/3272-117-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

memory/3272-118-0x000000001B290000-0x000000001B2A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4855fbf4-6480-4449-ae11-cf91d642e9b3.vbs

MD5 3de88506bb7cec272ec7d6ce6e3343ad
SHA1 0461b3ce904089f0e61d0fd483d97a6f92def10b
SHA256 e7f0f0028d222ec2f3b1950904780104794d48d9527a721f07aab350929481dc
SHA512 7a19d1a6255db9f82082db10ed152477a82b22fc217c0eeb29f389f47a81fb3d6b714e0042562db9e018acba39b4cdfb1e3ba708923a47f239bb22d022e7bef3

memory/3272-129-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

memory/400-131-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

memory/400-132-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

memory/400-133-0x000000001B9C0000-0x000000001B9D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d626d0fb-1c2f-4ce0-9714-aa48bb8f43da.vbs

MD5 6d012f2e58754e56d6e11ffd6625dee6
SHA1 22f43c246fde423f5aed8017348bfd453a0db060
SHA256 6c25775d402472f1029994dc1bd787d1553c379e04b6c5481b9fce3dc87d2c6d
SHA512 c7698ed47485b422042db109d7dbcecf123dab0734ce082185378d0c0b2dd9b0d194d0af4d3d3fb7ed2b9eb82afe9cbb4747328d9c6a99aaf2dec416d19a0d86

memory/400-144-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

memory/3908-146-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

memory/3908-147-0x000000001BE00000-0x000000001BE10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f901b504-4e76-4400-b8dc-fd02a73cbbce.vbs

MD5 82cace29aa6ac72793ea438659b0549a
SHA1 430b58d7e7a547af99ac4c719d2a0e08817a44fe
SHA256 1ca4adac2d55d14fb84777d9b7cf64827263b5dedd0be41b5a64a606ca9fdf1a
SHA512 e517d625a07a63147f7fa107e5144bed9c0b16be09c8a520757db9940373b08285ca51dd8f3e10d29707fce635375d9c92501377687fb01a0f810d3f93fe4ca6

memory/3908-158-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

memory/2708-160-0x00007FFC13180000-0x00007FFC13C41000-memory.dmp

memory/2708-161-0x000000001BB30000-0x000000001BB40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16ed0cc2-d84e-450f-88db-c7c05a06e2b0.vbs

MD5 68b89f0c229262f5b9b89844bd825ec3
SHA1 8147826601e70814e96e66a25c5cd238e9e26c4e
SHA256 f0cda4907e54d66f078573cf7e881c2b83bd5fedf4165e9601baaff2c3b97b1c
SHA512 86f5e100ae5c66e027eefccef754addd0c875a01f59d48d1eaa79adaca00d726907bf554d08654a63966256ca0ca743e1f99b719d67230b1aede59f389306848

memory/2708-172-0x00007FFC13180000-0x00007FFC13C41000-memory.dmp

memory/4564-174-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

memory/4564-175-0x0000000001820000-0x0000000001830000-memory.dmp

memory/4564-176-0x0000000001B40000-0x0000000001B52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\99d342b3bebe85959c38e2102e6dd3992fc9b899.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\6ab1e69f-2f1f-401d-938e-f71bfd6a81cd.vbs

MD5 e066873c029dcc396bda6878d4c89b13
SHA1 73b33123530ff05397590b7b9f78e1a834f6c4dc
SHA256 bd955b17bb71ebabfd0a103d99c02aed6f0c67c0b9fb27bb66266ca888635ce3
SHA512 583d60cae6177a3bbb26b4feec194eec30d066c5818fa9be697231a37a3065671f160b29f7b3d5d0641dededf521df0ef89826fe4c8b236eb86580ed3b8cc868

memory/4564-187-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

memory/2280-189-0x00007FFC13620000-0x00007FFC140E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5af0a6be-4f61-470c-9af3-d9e879f95f18.vbs

MD5 032300f58a786600b434da92591dcf31
SHA1 a309714b9f17898e7e7d64f0b9f4b1a3803b98c8
SHA256 1cd332109c45eb557f6a9c1fef1339b29848a8b960eeb4f60d0cfbccf5639682
SHA512 fd603835b2a0175456f9ae1b1053e3cb04befad12434c473c424c10555c9c09f5ba43bf2ce3c83e4fe1d7bc9b13c7b1043ae9a8a4a6933dec0df98b0884fde92

C:\Users\Admin\AppData\Local\Temp\dd8c8fd3-70ad-491b-a007-d682790a8883.vbs

MD5 7bb9115e32e0d7e73740edae13322668
SHA1 cb6a86aa37b59184832a853bf7e88535bd2f3dfc
SHA256 d8a5b6dfda1e73a663ea4d68d015c636338533b4a8c55098933c24118b92224c
SHA512 903a97f22fbcdc2d231105199c521d005fc2ab84e33a26bb56ead8b5966f63741f3ef3f8a516d1ea4aa018f900c5b7243256984435f3def4404904916da9a8d3

C:\Users\Admin\AppData\Local\Temp\7d5fdedc-353f-4832-9fd6-594eaec6169c.vbs

MD5 57dcdc9d61d7b636af4c1f8967726b22
SHA1 eecf3265b448ec7a8cfcb68f45bc96e7f367f7b9
SHA256 e9850007590b93e6a726e4bf015deaf7de2596c37ad9710bf8c6f290f9886262
SHA512 1e95a4f8b6d64fbc3655e0d4bfb22eeec7d86dc330050bc6f2985b3d8e7e4a86cd4a859dcb4e8e8a93adba48d66c4e4f973d0653e3f54ca744c11576d1c128ef

C:\Users\Admin\AppData\Local\Temp\99d342b3bebe85959c38e2102e6dd3992fc9b899.exe

MD5 5ebd26f7b539d06ee26e4335bdad1bac
SHA1 f8013bd49ea6c345395c56f4c373e39fe5b1d2eb
SHA256 7314a4df55312d5b2952c66fdc0ba36c2f5b1dbb3ad88f1dd2ba283c8400696b
SHA512 c343fb3b8c82967042a407d684cdb5968d80446e96d1fdfe9c4e33ca727a26281a2e7cae05a997f4983ecf61e3aec41252b544ef827592d556c4a5ffe76e8e73

C:\Users\Admin\AppData\Local\Temp\d16705fd-80b4-4001-9000-eaf5f70a146d.vbs

MD5 f58676873042c719ebaf8b09a8ed9bc5
SHA1 16d338bf9877a5a50cea1ab6f2be274d436e64eb
SHA256 b935a5adc967d708ee1206fb2b5e2a06f1e1adf89ee588bc04205c9ddb6f279a
SHA512 7aa7e17686d7dd027a0090e88e6c6bf271752ffac049aec46bd9b77cbb1de78f5b128aab60e7e3b2da379ee07cecf51e8461d0f2266e17e356a45991d742e241

C:\Users\Admin\AppData\Local\Temp\d85c7a2e-b8f9-44c3-9be9-bb12676c3c7e.vbs

MD5 7a2b247056bedb213065666fc44b2bc4
SHA1 43f6bd5f51fb09b0e1b7141c82cd9a751c31378a
SHA256 3391a068ee113ffd25899758604b4ffe9ada35c80732984a31176085c3b86664
SHA512 68fbacfda257908caa98d4c20517d6f7aed5fdd40778fc70807be6521f72d1be3cc740cb887806131c7ce1f21ff0f54d340a8ecab25e340eaaa0a92a35eb1ca1

C:\Users\Admin\AppData\Local\Temp\009483e7-25f6-445b-97f6-d52c08f7eae0.vbs

MD5 8ad4abd699e6a798f3b29220f25ca555
SHA1 fb5fadea7b6c353e5f9436cb3e51482cc6993ebb
SHA256 d993ee5e38de9b2a8d31008ee67ccdf3e331da8e166a1513e37034ed56d48fe5
SHA512 9a219fb5afa8ba7f999603f03130a66a0c22e93c97745fe41f4f1453644c5da5febf2514a3280e4857f8eeedb3e524da0eb2c7e18f68c8805daee041370bcc07

C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe

MD5 028958f59e67b43c84615a52817d8977
SHA1 2fd828295bb4dba9f860dc7f3e814c19e9f2a0ac
SHA256 f3b7cac5543a7ede99252839adaf7ed67782c2e5fa4230f270d79178dca3e43a
SHA512 bda4d5620242f4122477e6e9fec6f53149e8a389e8acb4de81cdb36692c3ac9c6b54015d601e2794ebccd7cfaa11f3e417b567945220af0cefad993a9ba7e6b1