Malware Analysis Report

2025-06-15 19:46

Sample ID 240325-cmfnyagb81
Target 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe
SHA256 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c

Threat Level: Known bad

The file 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

UAC bypass

Process spawned unexpected child process

Dcrat family

DCRat payload

DcRat

DCRat payload

Detects executables packed with SmartAssembly

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies registry class

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 02:11

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 02:11

Reported

2024-03-25 02:14

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Windows Portable Devices\taskhost.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Windows Portable Devices\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Windows Defender\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Windows Defender\4f0e8709060575 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\Idle.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\VideoLAN\audiodg.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\VideoLAN\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\56085415360792 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Cursors\audiodg.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Windows\Cursors\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A
N/A N/A C:\Program Files\Windows Portable Devices\taskhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 272 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe C:\Windows\System32\cmd.exe
PID 272 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe C:\Windows\System32\cmd.exe
PID 272 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe C:\Windows\System32\cmd.exe
PID 1396 wrote to memory of 1556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1396 wrote to memory of 1556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1396 wrote to memory of 1556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1396 wrote to memory of 2100 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 1396 wrote to memory of 2100 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 1396 wrote to memory of 2100 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 2100 wrote to memory of 1760 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2100 wrote to memory of 1760 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2100 wrote to memory of 1760 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2100 wrote to memory of 1536 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2100 wrote to memory of 1536 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2100 wrote to memory of 1536 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 1760 wrote to memory of 2352 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 1760 wrote to memory of 2352 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 1760 wrote to memory of 2352 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 2352 wrote to memory of 2524 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 2524 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 2524 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 1944 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 1944 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 1944 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2524 wrote to memory of 2580 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 2524 wrote to memory of 2580 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 2524 wrote to memory of 2580 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 2580 wrote to memory of 2932 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2580 wrote to memory of 2932 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2580 wrote to memory of 2932 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2580 wrote to memory of 1812 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2580 wrote to memory of 1812 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2580 wrote to memory of 1812 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2932 wrote to memory of 2676 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 2932 wrote to memory of 2676 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 2932 wrote to memory of 2676 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 2676 wrote to memory of 1396 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2676 wrote to memory of 1396 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2676 wrote to memory of 1396 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2676 wrote to memory of 1364 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2676 wrote to memory of 1364 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2676 wrote to memory of 1364 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 1396 wrote to memory of 704 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 1396 wrote to memory of 704 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 1396 wrote to memory of 704 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 704 wrote to memory of 1648 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 704 wrote to memory of 1648 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 704 wrote to memory of 1648 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 704 wrote to memory of 2832 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 704 wrote to memory of 2832 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 704 wrote to memory of 2832 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 1648 wrote to memory of 2512 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 1648 wrote to memory of 2512 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 1648 wrote to memory of 2512 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 2512 wrote to memory of 2632 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2512 wrote to memory of 2632 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2512 wrote to memory of 2632 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2512 wrote to memory of 2128 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2512 wrote to memory of 2128 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2512 wrote to memory of 2128 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe
PID 2632 wrote to memory of 2648 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 2632 wrote to memory of 2648 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 2632 wrote to memory of 2648 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Portable Devices\taskhost.exe
PID 2648 wrote to memory of 2508 N/A C:\Program Files\Windows Portable Devices\taskhost.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Portable Devices\taskhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe

"C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Cursors\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\1cc83c02-d10e-11ee-94d5-decc1f73fbe3\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1cc83c02-d10e-11ee-94d5-decc1f73fbe3\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\1cc83c02-d10e-11ee-94d5-decc1f73fbe3\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c5" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c5" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\fr-FR\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\fr-FR\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEWX68JQRQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Portable Devices\taskhost.exe

"C:\Program Files\Windows Portable Devices\taskhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b1faba7-8be4-4277-bda7-c7af6e7267fe.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2257f5aa-a96d-4391-bd92-6f2cae19b328.vbs"

C:\Program Files\Windows Portable Devices\taskhost.exe

"C:\Program Files\Windows Portable Devices\taskhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efab0641-dc63-4a40-a90c-20f9b55c12f0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e7cc682-13ad-47d4-a834-2fce43e65dbb.vbs"

C:\Program Files\Windows Portable Devices\taskhost.exe

"C:\Program Files\Windows Portable Devices\taskhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38f4b424-09d2-47e5-8131-39468d9594c5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07d82ff2-5c02-411a-b215-7a2e81012cb5.vbs"

C:\Program Files\Windows Portable Devices\taskhost.exe

"C:\Program Files\Windows Portable Devices\taskhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c91e2168-0cc0-4dc7-af5d-60e006404385.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66470262-aa26-4459-aa35-caee02d96a17.vbs"

C:\Program Files\Windows Portable Devices\taskhost.exe

"C:\Program Files\Windows Portable Devices\taskhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40ef7bf1-6515-4952-8dfa-f5d30cf1649a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a792473-89f2-4026-b7b9-c3c24021a1ae.vbs"

C:\Program Files\Windows Portable Devices\taskhost.exe

"C:\Program Files\Windows Portable Devices\taskhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaeb500c-8888-46c1-82eb-d8d5c6e8ee87.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9779ddd3-160f-4355-9928-fe0a1de73e50.vbs"

C:\Program Files\Windows Portable Devices\taskhost.exe

"C:\Program Files\Windows Portable Devices\taskhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffd9dfd1-3b58-49ca-957d-9d6dc7f1fe84.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55554c62-aa26-4d14-a2b1-ce3cb4fd9776.vbs"

C:\Program Files\Windows Portable Devices\taskhost.exe

"C:\Program Files\Windows Portable Devices\taskhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efa11173-157f-433e-903c-af59ae7aee42.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56ff67d3-f552-4cca-838e-4318b56d7eba.vbs"

C:\Program Files\Windows Portable Devices\taskhost.exe

"C:\Program Files\Windows Portable Devices\taskhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0917913.xsph.ru udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp

Files

memory/272-0-0x00000000002F0000-0x0000000000620000-memory.dmp

memory/272-1-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

memory/272-2-0x000000001B360000-0x000000001B3E0000-memory.dmp

memory/272-3-0x0000000000150000-0x000000000015E000-memory.dmp

memory/272-4-0x00000000002D0000-0x00000000002DE000-memory.dmp

memory/272-5-0x00000000002E0000-0x00000000002E8000-memory.dmp

memory/272-6-0x0000000000620000-0x0000000000628000-memory.dmp

memory/272-7-0x0000000000670000-0x0000000000680000-memory.dmp

memory/272-8-0x0000000000680000-0x0000000000696000-memory.dmp

memory/272-9-0x00000000006A0000-0x00000000006A8000-memory.dmp

memory/272-10-0x00000000006D0000-0x00000000006E2000-memory.dmp

memory/272-11-0x00000000006E0000-0x00000000006EC000-memory.dmp

memory/272-12-0x00000000006B0000-0x00000000006B8000-memory.dmp

memory/272-13-0x00000000006C0000-0x00000000006D0000-memory.dmp

memory/272-14-0x0000000000700000-0x000000000070A000-memory.dmp

memory/272-15-0x00000000008D0000-0x0000000000926000-memory.dmp

memory/272-16-0x0000000000630000-0x000000000063C000-memory.dmp

memory/272-17-0x0000000000640000-0x0000000000648000-memory.dmp

memory/272-18-0x0000000000650000-0x000000000065C000-memory.dmp

memory/272-19-0x0000000000660000-0x0000000000668000-memory.dmp

memory/272-20-0x0000000000710000-0x0000000000722000-memory.dmp

memory/272-21-0x0000000000740000-0x000000000074C000-memory.dmp

memory/272-22-0x0000000000920000-0x000000000092C000-memory.dmp

memory/272-23-0x0000000000930000-0x0000000000938000-memory.dmp

memory/272-24-0x0000000000940000-0x000000000094C000-memory.dmp

memory/272-25-0x0000000000950000-0x000000000095C000-memory.dmp

memory/272-26-0x0000000002350000-0x0000000002358000-memory.dmp

memory/272-28-0x0000000002310000-0x000000000231E000-memory.dmp

memory/272-27-0x0000000000960000-0x000000000096A000-memory.dmp

memory/272-29-0x0000000002320000-0x0000000002328000-memory.dmp

memory/272-30-0x0000000002330000-0x000000000233E000-memory.dmp

memory/272-31-0x0000000002340000-0x000000000234C000-memory.dmp

memory/272-32-0x0000000002360000-0x0000000002368000-memory.dmp

memory/272-33-0x00000000023F0000-0x00000000023FA000-memory.dmp

memory/272-34-0x0000000002400000-0x000000000240C000-memory.dmp

C:\Recovery\1cc83c02-d10e-11ee-94d5-decc1f73fbe3\wininit.exe

MD5 1994f3ef2118aeecbb74e6c8976fd47b
SHA1 8f157fc5c2af51db24b66085f29d3c1240be36b2
SHA256 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA512 48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

C:\Users\Admin\AppData\Local\Temp\HEWX68JQRQ.bat

MD5 0e4d081b13e82284dafa3cac305d972c
SHA1 8bfd416385dfb5e4561c89b2236c2204676086e1
SHA256 f3d018f48fb147ecbdb27f74d697c467554c2b23830efeaed0e1d704bc86ca40
SHA512 42b1d5914f4eff37a7647f632965af3e9747e7bcd234ba819edfe38fb05e0e006f15d6cf62f544dc27d20246781edb158dbcda431a339e8afcd5255415e79ba2

memory/272-58-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

C:\Program Files\Windows Portable Devices\taskhost.exe

MD5 20c10eec8ec6fc259112b6002003b733
SHA1 6d29de2fc60ab7327514893ac4f1be7ae77cdac1
SHA256 efd499d86b400fcf862f1d23b778b0c2d4de52f0b831a5cee06a997a99d3ddc1
SHA512 7d52d8c26780d8872ef1ac95166ddd26a6444a3fea971a54f6eb7bd7473dbe4fc61ac0b1122bbbfb651b023de45fde23fb6eb3da62735264537ffdaf7a8b3482

C:\Program Files\Windows Portable Devices\taskhost.exe

MD5 780855762200dc776393db6145c78e16
SHA1 cd93f05b6da2c6550d00e59b28763247be9b2f0b
SHA256 be464e525ae2df977512e103bb15dc83a5242885927ab734fc0198f2aa24f333
SHA512 ed15a14758e6ac45654982f240282e4323c1a6de9ca1b0dc832a6bf49b6b904642f246d481fea2e7f57b77b24b542d707661df1dfbaf4d9a0d74a54782faed68

memory/2100-61-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

memory/2100-62-0x0000000000E20000-0x0000000001150000-memory.dmp

memory/2100-63-0x0000000000E10000-0x0000000000E22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9b1faba7-8be4-4277-bda7-c7af6e7267fe.vbs

MD5 515f8ce95f4c3088b0d0f65355cf1bdf
SHA1 b3181078e20ce4bf67cd19a9f111deebd5d6601d
SHA256 04635cf477a09a8395eb6f77dfb3f19a9b43f59b897f2b02bc3167a5a7d10ab1
SHA512 90b558fa5579a6b2623efd7d61bcf64e9d0a0b5c1196330b93d0fc7658a76f9363c172f474ddb140f4f2e3b9e7fbc8dc5b67ff8f3f839040f711ba409705509c

C:\Users\Admin\AppData\Local\Temp\2257f5aa-a96d-4391-bd92-6f2cae19b328.vbs

MD5 fb30d99b99c17309a9ed1ec45db00be5
SHA1 c11a379197cdf8c1c478e2ee59854a14cac24322
SHA256 8d2d7a915d2c725e8a5f7cabb5e5c8c484279ed53d16baef15c210751bf581ab
SHA512 6197d9f31db104c994bfc5b58ad2c7a08bc88fe4538f7bcbf3afe8db9413d15d15ff2965eca260c9f2773c1812184c4a61d13429cfafae3ebec45acb2e858c45

memory/2100-73-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

memory/2352-75-0x00000000010A0000-0x00000000013D0000-memory.dmp

memory/2352-76-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

memory/2352-77-0x00000000004C0000-0x0000000000540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d367612823e45d490f3a6c1100d856af30363eba.exe

MD5 1990cab86254f561c848a92d01f8dd5d
SHA1 efed23a1f8d4a5add3b86d42c6ff5373e466503f
SHA256 ca4bc3845e09ca9574045bb19a043d023d98098f167deb0d9e316cc5160250aa
SHA512 697ed01abb07afc3628f0ff12bc80e46d7bf793e0a3c2883e638c31b4e5d7398a841feafb1be5435aa6fb00d5d480cb3ea0f7eb2c72727212bb4ade2982ee3c2

C:\Users\Admin\AppData\Local\Temp\efab0641-dc63-4a40-a90c-20f9b55c12f0.vbs

MD5 83d36f5c51d9aa7957ac6d208f3e204a
SHA1 5b08c22b2a6d917dc1d8a97206b18c97102ef11a
SHA256 4d5b345a43eec5e97cfc54641ec2702299d13ab210511fc30b8aa946fdf22367
SHA512 89e008453f3c44ba79705d138f8fad004e7238893e27acdfa843961b5e13b7cda4bfd58dd9cd7791c68faa6d3386387642cb1def5494eefea865eb1e77e0c939

memory/2352-88-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

memory/2580-90-0x0000000000370000-0x00000000006A0000-memory.dmp

memory/2580-91-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

memory/2580-92-0x000000001B1E0000-0x000000001B260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\38f4b424-09d2-47e5-8131-39468d9594c5.vbs

MD5 62c7cf704c4f77b7d9d715fe50451d90
SHA1 50741e588742808d38e7c5c0e1b77dc498fc6df9
SHA256 b30e6303e2570c51c87817962fa0486d6d1eab543dc528d3abc5e8a30401c765
SHA512 20957d863391a678882a4bda2dbc5ede684851d68b56f8331b3ebc8e9abd6919260156f2e2fa35cd58dd567f4c025c9ba4e03b113ba46c683966cb227501d040

memory/2580-103-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

memory/2676-105-0x00000000003C0000-0x00000000006F0000-memory.dmp

memory/2676-106-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

memory/2676-107-0x000000001B150000-0x000000001B1D0000-memory.dmp

memory/2676-108-0x00000000009E0000-0x00000000009F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d367612823e45d490f3a6c1100d856af30363eba.exe

MD5 3c73747ca7887309c86648b400adc4ef
SHA1 4051eb58f3edba6fb06d55bb80b64347523c9d69
SHA256 cc5481f1ab3982bb92d3a44c72aa48c68b58b7b69ae8e2ba8b6f0cd4d296655c
SHA512 549414730d6827f4bdb71175f9fb93f0d610c1cfdadd1b43e5dedbf2dc0fe7e47f14c467624afc26944703ddb4c905f60762fcfd0d4901d5afa24304a23f1029

C:\Users\Admin\AppData\Local\Temp\c91e2168-0cc0-4dc7-af5d-60e006404385.vbs

MD5 451303066e69071b439a46272896df64
SHA1 636506ff2e321ad39816c92f03ab051746ec7c92
SHA256 c3b0171832d03e856292792aa2c18f6d69ce08f2f22db374fe32072ab3d638fd
SHA512 05b8867a5be603a69636464295bfc1db40cd3fdb12d2e64d329f441ca08a0474ab1e1bd7cf8539e1a53ee04d1637ebb06f266763d8e08d7617d902a8d27f52ba

memory/2676-119-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

memory/704-121-0x00000000008B0000-0x0000000000BE0000-memory.dmp

memory/704-122-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

memory/704-123-0x000000001B2D0000-0x000000001B350000-memory.dmp

memory/704-124-0x0000000002430000-0x0000000002442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d367612823e45d490f3a6c1100d856af30363eba.exe

MD5 2eed9706ea6c42a65f386e3d8f08e8a9
SHA1 f1c436097c969a2c1bb2f4e583a665447076973b
SHA256 a45a7a7ec30f021cab59d26e68fdd056f851ba7f0d85c3052d4524471a2d9343
SHA512 3c37cd9905a2c74fd31b69183d05504cbf7510fc50425eb1ac7c5a760fb3c206e36dd7ea313fa3929b397222bdbb075db05e72be61ae8c88953c2d87314fdfef

C:\Users\Admin\AppData\Local\Temp\40ef7bf1-6515-4952-8dfa-f5d30cf1649a.vbs

MD5 b2e21634779ae86b5362d1d1f710f45a
SHA1 a149a922ccfc2bf8ef5399ccc24e2618a133beac
SHA256 e3ff4db766744048a1737e0ff4bd83e45be893f3f67c9017396d8631528d819a
SHA512 4619d7daa0165a235cc82a444020888539faddca031a2e3ef915b0ccb264744a8062369d7d88fe49a17f1aab27fc386f4e2722476b09ebb5d8b6acd0bc438556

memory/704-135-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

memory/2512-138-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

memory/2512-137-0x0000000000910000-0x0000000000C40000-memory.dmp

memory/2512-139-0x000000001AFC0000-0x000000001B040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eaeb500c-8888-46c1-82eb-d8d5c6e8ee87.vbs

MD5 9c740d7919e02505ca9b3930f5da9bdf
SHA1 0de7f72ab95f3823e9cfa4f6dc4ef5332380eae8
SHA256 f0554d873f3d369eeb9242fc93046cd239244b66ed6896d7e6167ce76623ca42
SHA512 bec3431cc155ea4103cf47eb90e14fcf3ca446d535d3ad5943d78614a80e89ed5f21c40fc80efc8ff80b2fdd3ba683931dc8b9a27f2c45b2d0602861bf70e099

memory/2512-150-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

memory/2648-152-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

memory/2648-153-0x0000000000DE0000-0x0000000001110000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ffd9dfd1-3b58-49ca-957d-9d6dc7f1fe84.vbs

MD5 e05540d911e4648a67988d018db2c704
SHA1 a37d9abbd9a430c593e669e3319aaea94f8582d8
SHA256 7ecc6751db1920e869aa916c8bbe0b7b7e444c3307022971acd5128bceead0da
SHA512 800de6bf8164dac3bab6b1d2f622ab042077c82a6cd16f74470bb7579415726f34e7148308435e044924d579874144bafaa30d6a4c4e2a83db27fda52b67de1f

C:\Users\Admin\AppData\Local\Temp\efa11173-157f-433e-903c-af59ae7aee42.vbs

MD5 192bbfbf13aa0ff6dac51d0929fe5851
SHA1 33d5359ecf2f78eb29bc7cd110b849b9b0b1ca9a
SHA256 e73e68679668df2ba782aea763b6a6a24cf64f95bfb1def52cceff6b789fd73f
SHA512 79b577d2f827eaba709e340f5485261b06acfe8bb0ed87d1a83d8d71c7f0ebf00a00cd9ff89044df7614aa55c4795eadb5127725e8f98d3bd2db35d2a880c444

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 02:11

Reported

2024-03-25 02:14

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files (x86)\Internet Explorer\SIGNUP\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Registry.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\microsoft.system.package.metadata\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\System.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\dllhost.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CSC\System.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Windows\DiagTrack\Settings\Registry.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Windows\CSC\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Windows\Help\Help\sihost.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Windows\Resources\dllhost.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Windows\Resources\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Windows\Help\Help\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Windows\security\audit\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Windows\security\audit\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Windows\DiagTrack\Settings\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4840 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe C:\Windows\System32\cmd.exe
PID 4840 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe C:\Windows\System32\cmd.exe
PID 808 wrote to memory of 768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 808 wrote to memory of 768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 808 wrote to memory of 4384 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\explorer.exe
PID 808 wrote to memory of 4384 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\explorer.exe
PID 4384 wrote to memory of 3548 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 4384 wrote to memory of 3548 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 4384 wrote to memory of 3868 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 4384 wrote to memory of 3868 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3548 wrote to memory of 2200 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 3548 wrote to memory of 2200 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 2200 wrote to memory of 3664 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 2200 wrote to memory of 3664 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 2200 wrote to memory of 4788 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 2200 wrote to memory of 4788 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3664 wrote to memory of 3624 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 3664 wrote to memory of 3624 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 3624 wrote to memory of 908 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3624 wrote to memory of 908 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3624 wrote to memory of 2668 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3624 wrote to memory of 2668 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 908 wrote to memory of 1008 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 908 wrote to memory of 1008 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 1008 wrote to memory of 4984 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 1008 wrote to memory of 4984 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 1008 wrote to memory of 2632 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 1008 wrote to memory of 2632 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 4984 wrote to memory of 3188 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 4984 wrote to memory of 3188 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 3188 wrote to memory of 2748 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3188 wrote to memory of 2748 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3188 wrote to memory of 4292 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3188 wrote to memory of 4292 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 2748 wrote to memory of 4012 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 2748 wrote to memory of 4012 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 4012 wrote to memory of 392 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 4012 wrote to memory of 392 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 4012 wrote to memory of 116 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 4012 wrote to memory of 116 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 392 wrote to memory of 3652 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 392 wrote to memory of 3652 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 3652 wrote to memory of 3804 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3652 wrote to memory of 3804 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3652 wrote to memory of 3472 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3652 wrote to memory of 3472 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3804 wrote to memory of 2492 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 3804 wrote to memory of 2492 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 2492 wrote to memory of 3524 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 2492 wrote to memory of 3524 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 2492 wrote to memory of 3980 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 2492 wrote to memory of 3980 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3524 wrote to memory of 3152 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 3524 wrote to memory of 3152 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 3152 wrote to memory of 2224 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3152 wrote to memory of 2224 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3152 wrote to memory of 3976 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3152 wrote to memory of 3976 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 2224 wrote to memory of 3940 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 2224 wrote to memory of 3940 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\explorer.exe
PID 3940 wrote to memory of 3168 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3940 wrote to memory of 3168 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3940 wrote to memory of 2116 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe
PID 3940 wrote to memory of 2116 N/A C:\Recovery\WindowsRE\explorer.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\explorer.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe

"C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\es-ES\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\es-ES\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\security\audit\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\security\audit\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\security\audit\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\DiagTrack\Settings\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\Settings\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\odt\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\odt\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Resources\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Help\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Help\Help\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\Help\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\PrintHood\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Default\PrintHood\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RntjMyf9uZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3da10925-1a32-4095-9c8f-715259bffb39.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\388adb51-ebd0-4eab-ba58-d822365ca0fc.vbs"

C:\Recovery\WindowsRE\explorer.exe

C:\Recovery\WindowsRE\explorer.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7749a4f1-df73-40f7-9b89-cccdb664941c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6aeadb36-66a9-4262-a0e4-ac8ab4079000.vbs"

C:\Recovery\WindowsRE\explorer.exe

C:\Recovery\WindowsRE\explorer.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75cd2b4b-47ee-49e7-b1ab-3b74c6c79d0e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\819246bb-a0eb-47a9-9561-dc97e35ce37c.vbs"

C:\Recovery\WindowsRE\explorer.exe

C:\Recovery\WindowsRE\explorer.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0645b1ab-1e89-46ef-bb22-22286c12f5f8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3ab9556-fba8-44cf-8225-db84e6232aca.vbs"

C:\Recovery\WindowsRE\explorer.exe

C:\Recovery\WindowsRE\explorer.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0dda8b6-2be4-489b-9cc6-59c47cd28b8d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ef4c74b-8e9f-4c66-891e-431b7b93225c.vbs"

C:\Recovery\WindowsRE\explorer.exe

C:\Recovery\WindowsRE\explorer.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\648769ee-16ba-4f95-a8c6-43d3e6afbcc2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\276ffccd-57ed-49c3-8f74-db64bb5ec581.vbs"

C:\Recovery\WindowsRE\explorer.exe

C:\Recovery\WindowsRE\explorer.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37bbd2bc-ba1e-49b6-a70a-9ace85d126b7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad606097-b984-4806-aaa4-51f0c950294f.vbs"

C:\Recovery\WindowsRE\explorer.exe

C:\Recovery\WindowsRE\explorer.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57000d27-45c4-42cd-a82d-ee922975253e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fb7b653-8b7c-4e1f-93f2-d846ebcf79f0.vbs"

C:\Recovery\WindowsRE\explorer.exe

C:\Recovery\WindowsRE\explorer.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\229df18c-f654-4c79-ba84-08376a8ce56b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5314319f-845c-4a3d-8cd8-4e6c9f28dd68.vbs"

C:\Recovery\WindowsRE\explorer.exe

C:\Recovery\WindowsRE\explorer.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2487cd07-39a2-4f35-9b3a-15141891ce55.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3954ee1a-cee5-4161-bff2-45a4cc9e533a.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 a0917913.xsph.ru udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 6.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp

Files

memory/4840-0-0x00000000005F0000-0x0000000000920000-memory.dmp

memory/4840-1-0x00007FF905750000-0x00007FF906211000-memory.dmp

memory/4840-2-0x000000001B730000-0x000000001B740000-memory.dmp

memory/4840-3-0x00000000011E0000-0x00000000011EE000-memory.dmp

memory/4840-4-0x0000000002B40000-0x0000000002B4E000-memory.dmp

memory/4840-5-0x0000000002B50000-0x0000000002B58000-memory.dmp

memory/4840-6-0x000000001B540000-0x000000001B548000-memory.dmp

memory/4840-7-0x000000001B550000-0x000000001B560000-memory.dmp

memory/4840-8-0x000000001B560000-0x000000001B576000-memory.dmp

memory/4840-9-0x000000001B690000-0x000000001B698000-memory.dmp

memory/4840-10-0x000000001B6A0000-0x000000001B6B2000-memory.dmp

memory/4840-11-0x000000001B6D0000-0x000000001B6DC000-memory.dmp

memory/4840-12-0x000000001B6B0000-0x000000001B6B8000-memory.dmp

memory/4840-13-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

memory/4840-14-0x000000001B6E0000-0x000000001B6EA000-memory.dmp

memory/4840-15-0x000000001BD40000-0x000000001BD96000-memory.dmp

memory/4840-16-0x000000001B6F0000-0x000000001B6FC000-memory.dmp

memory/4840-17-0x000000001B700000-0x000000001B708000-memory.dmp

memory/4840-18-0x000000001B710000-0x000000001B71C000-memory.dmp

memory/4840-19-0x000000001B720000-0x000000001B728000-memory.dmp

memory/4840-20-0x000000001BD90000-0x000000001BDA2000-memory.dmp

memory/4840-21-0x000000001C2D0000-0x000000001C7F8000-memory.dmp

memory/4840-22-0x0000000002B20000-0x0000000002B2C000-memory.dmp

memory/4840-23-0x0000000002B30000-0x0000000002B3C000-memory.dmp

memory/4840-24-0x000000001BDA0000-0x000000001BDA8000-memory.dmp

memory/4840-25-0x000000001BDB0000-0x000000001BDBC000-memory.dmp

memory/4840-26-0x000000001BDC0000-0x000000001BDCC000-memory.dmp

memory/4840-27-0x000000001C040000-0x000000001C048000-memory.dmp

memory/4840-28-0x000000001BED0000-0x000000001BEDA000-memory.dmp

memory/4840-29-0x000000001BEE0000-0x000000001BEEE000-memory.dmp

memory/4840-30-0x000000001BEF0000-0x000000001BEF8000-memory.dmp

memory/4840-31-0x000000001C000000-0x000000001C00E000-memory.dmp

memory/4840-32-0x000000001C010000-0x000000001C01C000-memory.dmp

memory/4840-33-0x000000001C020000-0x000000001C028000-memory.dmp

memory/4840-34-0x000000001C030000-0x000000001C03A000-memory.dmp

memory/4840-35-0x000000001C050000-0x000000001C05C000-memory.dmp

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe

MD5 1994f3ef2118aeecbb74e6c8976fd47b
SHA1 8f157fc5c2af51db24b66085f29d3c1240be36b2
SHA256 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA512 48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

C:\Users\Admin\AppData\Local\Temp\RntjMyf9uZ.bat

MD5 6cf068a242a005763dbcc3239356b0dd
SHA1 22fe93f2b34a0e9eff75f03e822eb15140dbde74
SHA256 922b0453684b48d51fa03f1c1e15a4352ebb8a7b242df0a1a75e994691a53d15
SHA512 84aea3d16fc3812b5fde2295231035ed76ffe474b73aec99edc32bcb2a9199ad7c60ac76918a40c6a9753443830d4e10f42383fbdac655f4781b28928cbaf3ce

memory/4840-80-0x00007FF905750000-0x00007FF906211000-memory.dmp

memory/4384-84-0x00007FF905330000-0x00007FF905DF1000-memory.dmp

memory/4384-85-0x000000001B540000-0x000000001B550000-memory.dmp

memory/4384-86-0x000000001B4F0000-0x000000001B546000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3da10925-1a32-4095-9c8f-715259bffb39.vbs

MD5 346a086c30cf07c5f89b87af6b886740
SHA1 0619c185b7bbb93537ef1976d2e1e0d14bb10f82
SHA256 7f974008d3ef0d6dce3f36d82b13346913d1fc0aeffa759b9fa9e39080c24727
SHA512 1f93e63ce8fed65379381e02497f3c68b0fd8bf4efcff22cc0270eff2454cd6dd06e8783ddec0ed73a003d39a3da4a0f0dbcc24803c19e8bd05fbce75867b132

C:\Users\Admin\AppData\Local\Temp\388adb51-ebd0-4eab-ba58-d822365ca0fc.vbs

MD5 2e5cfca88dfe83a724518eb03d6bb1d4
SHA1 a54b252bd92ba4a2a88977aedacf1bac42200eb0
SHA256 57c8a44cf0b34dc807cd8c827e7ad704e22db704b8a9b62488f2af4facfd6596
SHA512 b2b47904784b976c52669363023b012c13a5f147057b5e532f3db489f240f078ad41bc113f2c21f95fd2aae635ca2c6fa43a8db387f252cb18b7e376ff8a29f6

memory/4384-97-0x00007FF905330000-0x00007FF905DF1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

MD5 caa9da90d9bfc2c0fbadbf7eb57d1aae
SHA1 b0237d1cdb8c7fdb6f89e72475dbfb639c025ed7
SHA256 b5c2348671b5ad62cc02ded41adcf1855341bd6d20706bf45d9d68e4cddd4bbd
SHA512 da20485cf87f6e9b95141dea062188b5a2299ff1e1a7f83446afac0d8b70a2d18d02b60b232b2c9e6af5071906dd08f41cf4637379165c1823a9fa9b82d155d8

memory/2200-100-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

memory/2200-101-0x0000000001620000-0x0000000001630000-memory.dmp

memory/2200-102-0x0000000003050000-0x00000000030A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7749a4f1-df73-40f7-9b89-cccdb664941c.vbs

MD5 40b6c0042bb61622f0dbe459a88ac3f9
SHA1 6c7ae11c7a3a81374f32f7e9c0ac0f394554d92f
SHA256 a1b4af28b590621b5382c3563153783886511189fc7de9c3a4a3daf8fa52deea
SHA512 edfea0777868ec24a10790dbdb00283f94f896e8f2f7a2645acfd9df3e126b76fb20e8f28ecf2fbf8f2319723e2f39264e03d658862fc7cd0586429c35019167

memory/2200-113-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

memory/3624-115-0x00007FF904C00000-0x00007FF9056C1000-memory.dmp

memory/3624-116-0x000000001BD90000-0x000000001BDA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\75cd2b4b-47ee-49e7-b1ab-3b74c6c79d0e.vbs

MD5 6dfc36f4f7eda0c2d917ad761877b763
SHA1 84d9f9952100c6594bb0275a2c93f89f491a69aa
SHA256 58b1fbc956f81d31fcb901baf31cd5120a5903ebb1df8fff6c990582d0267234
SHA512 dc1e24feb4feaa11e8a60e7462c00b7fc59f649826bf1b46583f8e9b60dcfc7e6f7725e08deacc4cc1b40379b8ab32934f7e713bcfe77b63a1c7ea7cfe991b75

memory/3624-127-0x00007FF904C00000-0x00007FF9056C1000-memory.dmp

memory/1008-129-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

memory/1008-130-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

memory/1008-131-0x0000000001240000-0x0000000001252000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0645b1ab-1e89-46ef-bb22-22286c12f5f8.vbs

MD5 39036b0b31b61363462933d0e47fdfcb
SHA1 b3d73ec383b0b74030019220b92eeb961fbed45e
SHA256 d5d2b7b447dca3f68ff3422edd0eccdf23f1d4a817e0ecb0d9e6d2240c1f4b8d
SHA512 f1760dd9c1ebe59c0a5d30175dfcaffe070f7a85b5a68d46a08c2dc37e49fbb501d5968c556df7055c1854d74e0041760546248c58d5043c0449c9adb4023a2c

memory/1008-142-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

memory/3188-144-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

memory/3188-145-0x00000000033A0000-0x00000000033B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c0dda8b6-2be4-489b-9cc6-59c47cd28b8d.vbs

MD5 6679daaf57c32408fa24d71ec2a09279
SHA1 b5eecf46034afb50fbd1d9d52517c0b2570d786f
SHA256 4abc2f8330adbef7361c31519f0c6f4396bc7bd7b53792b5f4cc5261c21287ed
SHA512 742f9a21318f4264c89ca9259425c4809886eb8af3fa1a55a5a77349d0d6606729d731e6b55bd6067e087f58ed7ad3abe1acbd10fbcb8b4ad8a7e7a5d9aa33de

memory/3188-156-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

memory/4012-158-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\648769ee-16ba-4f95-a8c6-43d3e6afbcc2.vbs

MD5 c4dada0bfc15419fa6a379011e4f757a
SHA1 734acf8472c9d590e9f12eaff968c50131c647fe
SHA256 b1bba83a0ed9a24cfb4747a9ae5b2781cec12a77291d6cc6455a7ad65dcce131
SHA512 1437e0dc3cefe53f354fbb5bf93fba47dbc2e1c709cec101568926b2a62fce67d53f1965a0e4503e8c1a90e069473ef4c1467f8c24ac6244991f4434ca5260c1

memory/4012-169-0x00007FF9051D0000-0x00007FF905C91000-memory.dmp

C:\Recovery\WindowsRE\explorer.exe

MD5 98c52308d2a6eba5e88bfe8ddeb6b0bc
SHA1 7aa710108f2f3ab799df4ee4bf789bccc97a3086
SHA256 29844501b9a24006bbd72a2701e0a84e761cb697f901bb5ae986ebcd23d28116
SHA512 f45ada1c49c5a384f57495785ec45fce8600a3368dabf3be9d03f38b66790d9e14213296c29077e6d7eab21104533067db7f0a2f0a52e98df00ccbca49587e7b

memory/3652-171-0x00007FF905280000-0x00007FF905D41000-memory.dmp

memory/3652-172-0x0000000001AA0000-0x0000000001AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\37bbd2bc-ba1e-49b6-a70a-9ace85d126b7.vbs

MD5 cb41d8bce2ba65ae99eca1b86cf8cfd6
SHA1 ba827f2acc3d39d31441e085e5957cefa7842df7
SHA256 80333efa52321dc4ebd04d14ab56efba5e69c0e755d658d2f979db2ff1c699cf
SHA512 24b7b7408daac0d0a8f2546b2c4e50d1502dbbc64da3e78754668f58a228f04139321b5fffb0cd5adedbc4e96c23cd074d20c81d4d37807f53cf31c14a7a1c05

memory/3652-183-0x000000001D0A0000-0x000000001D1A2000-memory.dmp

memory/3652-184-0x00007FF905280000-0x00007FF905D41000-memory.dmp

memory/2492-186-0x00007FF905280000-0x00007FF905D41000-memory.dmp

memory/2492-187-0x000000001B4E0000-0x000000001B4F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\57000d27-45c4-42cd-a82d-ee922975253e.vbs

MD5 3b0d14a1ff5af3c56244a823626a43d1
SHA1 b21b09bd119ce79a7de044180113de722ec4467f
SHA256 3ecf18eed4a5c5266ce3d1331a71979afaee6fd311dab748e6055589c15ec0f8
SHA512 8c28934c39fd2b162da7e1e15269b0752f4128c091bf32e1bde2c5dc6900d745faded3e20a6e1cedcb303e59efdffacfa82eedef74cd33b738c023ba0993da0c

memory/2492-198-0x000000001C760000-0x000000001C862000-memory.dmp

memory/2492-199-0x000000001C760000-0x000000001C862000-memory.dmp

memory/2492-200-0x00007FF905280000-0x00007FF905D41000-memory.dmp

memory/3152-202-0x00007FF905280000-0x00007FF905D41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\229df18c-f654-4c79-ba84-08376a8ce56b.vbs

MD5 a849b652b22cf2beb8fdf29ba1634f95
SHA1 70f51869f45a3cc88b0e38e25a67dc801b2bbc3c
SHA256 55878a660bdb987664319363eacd0dbd74808a7377069b5a5dc4015c4e95a5ce
SHA512 462af8b2dd4cb36bb107bf8b082e22abc4fc428ff4a79b21736824f2a6319dedf851c7a175ba667b75c4ab4f7bd131b9d6ac4a71e0a8ae7d66e56ff410a82b0d

memory/3152-214-0x000000001D130000-0x000000001D232000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1b5f595f3f96c9e293c9c22092e7e88ee0b82976.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\2487cd07-39a2-4f35-9b3a-15141891ce55.vbs

MD5 1c8ea01eaa9e6c4c41634cd5e0c9321d
SHA1 6c4a0c2f97ac69e2b4b82b70c0a38246ae0ac769
SHA256 bbc7fa0078aab82df753160af31da8308ab4a68c73774aa2664011c8bd279b24
SHA512 e1902401dffe635e167e6e51e3a9a534fdaf729005068b0a4318beed9ab15a2346edc65031dd2369dc2f881ac0fd6672c4688da458b6ef7054afd4a984594b86