Malware Analysis Report

2025-06-15 19:46

Sample ID 240326-bwm9pseb4x
Target 1994f3ef2118aeecbb74e6c8976fd47b.bin
SHA256 e645c15ab73fd6817d3afe198e1becaff9a16eddebb5ff999434b91a4af9d2b4
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e645c15ab73fd6817d3afe198e1becaff9a16eddebb5ff999434b91a4af9d2b4

Threat Level: Known bad

The file 1994f3ef2118aeecbb74e6c8976fd47b.bin was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

Process spawned unexpected child process

UAC bypass

Dcrat family

DCRat payload

DcRat

DCRat payload

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

System policy modification

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-26 01:29

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-26 01:29

Reported

2024-03-26 01:32

Platform

win7-20240221-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Uninstall Information\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files (x86)\Internet Explorer\en-US\56085415360792 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Common Files\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files (x86)\MSBuild\csrss.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files (x86)\Google\Temp\dllhost.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Common Files\lsass.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Windows Mail\it-IT\csrss.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Windows Portable Devices\winlogon.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Windows Portable Devices\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files (x86)\Google\Temp\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files (x86)\MSBuild\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Windows Mail\it-IT\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ShellNew\Idle.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Windows\ShellNew\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Windows\Performance\WinSAT\DataStore\winlogon.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Windows\Performance\WinSAT\DataStore\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 2340 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 2340 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 892 wrote to memory of 2808 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 892 wrote to memory of 2808 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 892 wrote to memory of 2808 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 892 wrote to memory of 2812 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 892 wrote to memory of 2812 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 892 wrote to memory of 2812 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2808 wrote to memory of 1744 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 2808 wrote to memory of 1744 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 2808 wrote to memory of 1744 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 1744 wrote to memory of 1740 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1744 wrote to memory of 1740 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1744 wrote to memory of 1740 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1744 wrote to memory of 1724 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1744 wrote to memory of 1724 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1744 wrote to memory of 1724 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1740 wrote to memory of 2920 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 1740 wrote to memory of 2920 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 1740 wrote to memory of 2920 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 2920 wrote to memory of 324 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2920 wrote to memory of 324 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2920 wrote to memory of 324 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2920 wrote to memory of 1584 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2920 wrote to memory of 1584 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2920 wrote to memory of 1584 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 324 wrote to memory of 1680 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 324 wrote to memory of 1680 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 324 wrote to memory of 1680 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 1680 wrote to memory of 1264 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1680 wrote to memory of 1264 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1680 wrote to memory of 1264 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1680 wrote to memory of 376 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1680 wrote to memory of 376 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1680 wrote to memory of 376 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1264 wrote to memory of 2516 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 1264 wrote to memory of 2516 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 1264 wrote to memory of 2516 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 2516 wrote to memory of 2816 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2516 wrote to memory of 2816 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2516 wrote to memory of 2816 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2516 wrote to memory of 2456 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2516 wrote to memory of 2456 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2516 wrote to memory of 2456 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2816 wrote to memory of 1468 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 2816 wrote to memory of 1468 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 2816 wrote to memory of 1468 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 1468 wrote to memory of 1968 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1468 wrote to memory of 1968 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1468 wrote to memory of 1968 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1468 wrote to memory of 1004 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1468 wrote to memory of 1004 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1468 wrote to memory of 1004 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 1968 wrote to memory of 2028 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 1968 wrote to memory of 2028 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 1968 wrote to memory of 2028 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe
PID 2028 wrote to memory of 2132 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2028 wrote to memory of 2132 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2028 wrote to memory of 2132 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2028 wrote to memory of 2980 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2028 wrote to memory of 2980 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2028 wrote to memory of 2980 N/A C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe C:\Windows\System32\WScript.exe
PID 2132 wrote to memory of 2172 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe

"C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ShellNew\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Common Files\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\dllhost.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3599326a-1a0e-4ad7-810e-3bcd8da406a6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8d12bde-4c92-40be-a1f3-f444f1bc42ce.vbs"

C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ff4f7e3-b8ee-4441-b99d-5c374ca374c7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1748ffc4-589c-40d8-8023-a1fc8fdf5eed.vbs"

C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cf90a72-e69c-4d82-8cbe-4c6aa7d2eaae.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13235e3b-5853-440b-8e2d-fe7be00effc0.vbs"

C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91050917-5450-4104-9851-fb0444b75dd3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee1bba51-4598-4346-867e-bc27b931b052.vbs"

C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1188a621-1c37-415f-9b96-46a5e1158491.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13de8598-1970-4cdb-bf8b-a0cf07f172fb.vbs"

C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2291065-7bfd-472a-bdb1-b4d09df2dc13.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9532bd60-98be-479a-9cca-4ee604e71775.vbs"

C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ed21885-4349-48cd-bed1-31f6a117e8b4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60c895f7-7ddd-4f72-88aa-26c99bc11852.vbs"

C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f40e772a-27fe-49f0-bfd7-0765d08d25a4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\261925f6-6af8-45c4-9189-d5062fafb6af.vbs"

C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72bc2190-991d-4af2-9504-771f8f98330e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f613f50-abd1-4cfe-81d0-faa66d0e2e28.vbs"

C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\994c7646-6dab-4c30-82f5-c12318bb2061.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529bb12d-1139-4070-a213-6d9ad6b33bc0.vbs"

C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec9f3e96-16f8-462e-9b78-c6fd8138ac96.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01a6ed68-6735-40af-8d34-99402f6b840f.vbs"

C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe

"C:\Program Files (x86)\Windows NT\Accessories\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3bb2515-afd2-4046-9fc9-54a692cb84e3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c838fc6-6233-41ed-841c-5efd4575ae42.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0917913.xsph.ru udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp

Files

memory/2340-0-0x00000000000F0000-0x0000000000420000-memory.dmp

memory/2340-1-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

memory/2340-2-0x000000001B0B0000-0x000000001B130000-memory.dmp

memory/2340-3-0x0000000000470000-0x000000000047E000-memory.dmp

memory/2340-4-0x0000000000480000-0x000000000048E000-memory.dmp

memory/2340-5-0x0000000000490000-0x0000000000498000-memory.dmp

memory/2340-6-0x00000000004A0000-0x00000000004A8000-memory.dmp

memory/2340-7-0x00000000004B0000-0x00000000004C0000-memory.dmp

memory/2340-8-0x00000000004D0000-0x00000000004E6000-memory.dmp

memory/2340-9-0x00000000004F0000-0x00000000004F8000-memory.dmp

memory/2340-10-0x00000000007A0000-0x00000000007B2000-memory.dmp

memory/2340-11-0x0000000000500000-0x000000000050C000-memory.dmp

memory/2340-12-0x0000000000510000-0x0000000000518000-memory.dmp

memory/2340-13-0x00000000007B0000-0x00000000007C0000-memory.dmp

memory/2340-14-0x0000000000840000-0x000000000084A000-memory.dmp

memory/2340-15-0x00000000008D0000-0x0000000000926000-memory.dmp

memory/2340-16-0x0000000000920000-0x000000000092C000-memory.dmp

memory/2340-17-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

memory/2340-18-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

memory/2340-19-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

memory/2340-20-0x0000000002420000-0x0000000002432000-memory.dmp

memory/2340-21-0x000000001A940000-0x000000001A94C000-memory.dmp

memory/2340-22-0x000000001A950000-0x000000001A95C000-memory.dmp

memory/2340-23-0x000000001A9E0000-0x000000001A9E8000-memory.dmp

memory/2340-24-0x000000001AEA0000-0x000000001AEAC000-memory.dmp

memory/2340-25-0x000000001AEB0000-0x000000001AEBC000-memory.dmp

memory/2340-26-0x000000001AFF0000-0x000000001AFF8000-memory.dmp

memory/2340-27-0x000000001AEC0000-0x000000001AECA000-memory.dmp

memory/2340-28-0x000000001AED0000-0x000000001AEDE000-memory.dmp

memory/2340-29-0x000000001AEE0000-0x000000001AEE8000-memory.dmp

memory/2340-30-0x000000001B000000-0x000000001B00E000-memory.dmp

memory/2340-31-0x000000001B010000-0x000000001B01C000-memory.dmp

memory/2340-32-0x000000001B020000-0x000000001B028000-memory.dmp

memory/2340-33-0x000000001B030000-0x000000001B03A000-memory.dmp

memory/2340-34-0x000000001B040000-0x000000001B04C000-memory.dmp

C:\Windows\ShellNew\Idle.exe

MD5 1994f3ef2118aeecbb74e6c8976fd47b
SHA1 8f157fc5c2af51db24b66085f29d3c1240be36b2
SHA256 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA512 48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

memory/892-75-0x0000000000F80000-0x00000000012B0000-memory.dmp

memory/892-76-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

memory/2340-78-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

memory/892-77-0x000000001B150000-0x000000001B1D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3599326a-1a0e-4ad7-810e-3bcd8da406a6.vbs

MD5 65379504f2a1e85cccc49de90e8b77ac
SHA1 5827ee13fd0b13e11232246f3fc22a960fa7d735
SHA256 50d8dd5f6244075156802a78bf000ee1e238f28f865d9093a48d6cc8c24f236b
SHA512 418705441490ac127f2d789d62d4b13fa77cc86cde8c5331aea347f1d95099be76e28633e7d168bab0f0a70249c8b79df989b49f6e7216ff32e9196b473c4822

C:\Users\Admin\AppData\Local\Temp\f8d12bde-4c92-40be-a1f3-f444f1bc42ce.vbs

MD5 8917f1897d2073746f52d2434c6c924b
SHA1 cc18b5bd92cd4cb7fd8b8cd339f1a6ab11c817b2
SHA256 641f9534592404fd3869de22d315a3b4d435404323a45bfa8483fd1978dd8ce7
SHA512 7fb42f4a76c038c12b345611421a3818ee92691542ddec0c1b2af3e9db5cea5de495e76b56e001534f7f05dd6af6fdf4353534a270a058e4fcf728b86c6dd005

memory/892-88-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

memory/1744-90-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

memory/1744-91-0x0000000000A90000-0x0000000000AA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff4f7e3-b8ee-4441-b99d-5c374ca374c7.vbs

MD5 b40bb74a90bc1eee7b65e38a06f7f3c8
SHA1 dec3f65cce73d2ac1843147c2c977b0b36a4e0ba
SHA256 b291d0bd748abc38e22baa546455854c03c5dbe10261912d3efd4af021027506
SHA512 bd6db907819393d8222ce10d1cda42dfc46e94d958d11663923edbcb7e15a316e94c4a43613788247ce414d5651c4481017be887d5ab032fcfade32d82fdb501

memory/1744-102-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

memory/2920-104-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1cf90a72-e69c-4d82-8cbe-4c6aa7d2eaae.vbs

MD5 9ec986e49aea3018e96cca75f9770e69
SHA1 f6dc52e382fa38d6bd8ad44106f2437c1a654ec4
SHA256 6278ad7f246182d87dc21c61e662be5a89dcfd406fe80098f2cd03a54a78d8f6
SHA512 1abd82d4e84ce2376146dd325fc45386a6f971163af6a86e306e1b1e0eb5c44de2775d6428f6cd026a3b393dd4bcdebcdab92c0025d6c6a4285ef069aa38b982

memory/2920-115-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

memory/1680-133-0x000000001AF60000-0x000000001AFE0000-memory.dmp

memory/1680-132-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91050917-5450-4104-9851-fb0444b75dd3.vbs

MD5 f6c83e9bf394e243913ce12dfae9a45d
SHA1 6b88358c38b31a83a8c10a3ec5afdf81bd5fffff
SHA256 85b437eacecf13853d59ae88c5973ceaf806b50356f4edcb5bb62bf867c2d938
SHA512 268f138e9c19885e2372d4362502aeba73b0bd983143acd4a27d6098849b2bb82016cc1bb667ec57ce55b881ec55a798c6a37286ce673b934dc634558f7c649b

C:\Users\Admin\AppData\Local\Temp\3d9aa20636f916464dcc255c8bcf938ca8d4e949.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1680-144-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

memory/2516-146-0x000007FEF4DA0000-0x000007FEF578C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1188a621-1c37-415f-9b96-46a5e1158491.vbs

MD5 86dc03ea428a3c414e9946d3be17003d
SHA1 93d52afd980dfa93d70e2791671a157da95ebcaf
SHA256 82853db077457b2c6f334493ca8565f45ba3395d21df10dcc10291484e094e97
SHA512 391fe033d377501a3493e0644b9ba007ee727c62844f9c78df59202d012ffd33f97f924a38befa8ba7f729c3b1818a1c95f3ba2620d0dcddc75ff921a922f100

memory/2516-157-0x000007FEF4DA0000-0x000007FEF578C000-memory.dmp

memory/1468-159-0x00000000011F0000-0x0000000001520000-memory.dmp

memory/1468-160-0x000007FEF43B0000-0x000007FEF4D9C000-memory.dmp

memory/1468-161-0x000000001B4F0000-0x000000001B570000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a2291065-7bfd-472a-bdb1-b4d09df2dc13.vbs

MD5 2184cc07ca900c76dff794bebf0429cd
SHA1 3981f7754e1459ebcef1bf1864e0b62151b1bf98
SHA256 5331d34fd5f9bd63c07e5687b3a0ed2623f11db28c9a5fe6d670cc2c8f02abc8
SHA512 68a6608c7588817673197f5f290cc9e22d43ac17cb97878e5c3548a062799487956be5dbb4a1f7fa12d3acdd0cbfca45b517f06869edd8651588cae9aec6c77a

memory/1468-172-0x000007FEF43B0000-0x000007FEF4D9C000-memory.dmp

memory/2028-174-0x000007FEF4DA0000-0x000007FEF578C000-memory.dmp

memory/2028-175-0x000000001B360000-0x000000001B3E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ed21885-4349-48cd-bed1-31f6a117e8b4.vbs

MD5 95e88680748a0f4b498ea4b5610ee018
SHA1 a0f802c2974905ac9473c19bbe5048604795932e
SHA256 147264aa43a9b4354a73ba2f6cb311815e6f98713f44136a679d5d7dc5eb88b1
SHA512 b5355df0c0acdefbac8df11a3b05244da810ddc0d06597fbfc1f8a799c808d3cb912e8506ab337d814fef20fcb35565a83f79c47a2e71170d57c2df96c0552c5

memory/2028-186-0x000007FEF4DA0000-0x000007FEF578C000-memory.dmp

memory/2172-188-0x000007FEF43B0000-0x000007FEF4D9C000-memory.dmp

memory/2172-189-0x00000000003B0000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f40e772a-27fe-49f0-bfd7-0765d08d25a4.vbs

MD5 41986473a67df88c2d29bd0b6b1e2c32
SHA1 5936bdeb7c6599f6c2f3aac8fba7a38caebd43ea
SHA256 30428115af15f42cfa4347aa56fcfcd43967555050c2a86545b217389e7fd47f
SHA512 0c31ec7db2dea8b12d2165635e73aec4c42e15e55ab5bbee830d30ae576f8e3f8d1294f7f464d373c8868a53d96141c10883afaa73cc12708c8716c7f1f24062

memory/2172-200-0x000007FEF43B0000-0x000007FEF4D9C000-memory.dmp

memory/3040-203-0x000007FEF4DA0000-0x000007FEF578C000-memory.dmp

memory/3040-202-0x00000000001D0000-0x0000000000500000-memory.dmp

memory/3040-204-0x000000001B200000-0x000000001B280000-memory.dmp

memory/3040-205-0x0000000000B10000-0x0000000000B22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\72bc2190-991d-4af2-9504-771f8f98330e.vbs

MD5 dcc446baf8d0ce373a347fb7a0b77e8b
SHA1 e5bd2d5100c505033661cc56b4e3c5ae4b21dc6d
SHA256 1b7af1edeca8498f8fe06b60c9d23eabdd46cb25b16595a442d83d821b8ee47d
SHA512 f92b88065abce1aa68f43e5ff1e462fcb3ce00f55a6071f42e24dbb0cc3439dc7bacb3970e406ce1d70a68cae9361179a2ad1c9f081b4dc48aec2acd00b044da

C:\Users\Admin\AppData\Local\Temp\994c7646-6dab-4c30-82f5-c12318bb2061.vbs

MD5 699c46cc3c5161cce0a63f9fe8d595e1
SHA1 9fd8e8881d7eea76e94b1740a8e02dcf35e29dc1
SHA256 23a4f48fe52da678dd64ecfbff7ede5869d58793df003bd68b18b4ac6d7d7842
SHA512 af8cae014418c9a9df6e18dfa3557d760c374bd339614d27aeb360bb43b8d5c67a3c2f6d652956e448e993127dea19fb033f35b1dfe01ce81d31bac80ac5ddbd

C:\Users\Admin\AppData\Local\Temp\ec9f3e96-16f8-462e-9b78-c6fd8138ac96.vbs

MD5 cbe9cd18a665602a7ca5ab506a60617e
SHA1 68281ba8c716509c063e427b4c41061adc7505b3
SHA256 f632f1f3bbbd82a6f75e27652bfdc26b65aabf605dc381f4e030f0c401a70ac0
SHA512 ce3bc34d6be32a940657307936d98e63fb65ffbd506e017df4fd9ab5fbab7b8fd497a16b5eed4c3e7309dbafeb05cb2b1226be13f765da57bd6a7785e88fb1d4

C:\Users\Admin\AppData\Local\Temp\a3bb2515-afd2-4046-9fc9-54a692cb84e3.vbs

MD5 27d5425f7f061796c74a9e9e8236f9e9
SHA1 7ae01e62a7c0b68faa11f322a7f3984bac6342ac
SHA256 2cac09c29e3cc15c43f10f9cf4d7d681aa227c530b2d44aabfb655e28e0934bb
SHA512 61899517c33aba93627f744fe6aa5ad1ff6c82d805602c6511aba16c8990542cb7e5bf8c85c882f871ba11afb138fd71c5f23fec231380f4d8c5caa1ecdb7cbc

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-26 01:29

Reported

2024-03-26 01:32

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\Office16\dllhost.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\Microsoft Office\Office16\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
File created C:\Program Files\MsEdgeCrashpad\attachments\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
N/A N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 220 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 2724 wrote to memory of 4612 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 2724 wrote to memory of 4612 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 2724 wrote to memory of 4776 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 2724 wrote to memory of 4776 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4612 wrote to memory of 4448 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 4612 wrote to memory of 4448 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 4448 wrote to memory of 4900 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4448 wrote to memory of 4900 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4448 wrote to memory of 3288 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4448 wrote to memory of 3288 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4900 wrote to memory of 1968 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 4900 wrote to memory of 1968 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 1968 wrote to memory of 4404 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 1968 wrote to memory of 4404 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 1968 wrote to memory of 3824 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 1968 wrote to memory of 3824 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4404 wrote to memory of 4552 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 4404 wrote to memory of 4552 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 4552 wrote to memory of 1428 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4552 wrote to memory of 1428 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4552 wrote to memory of 3816 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4552 wrote to memory of 3816 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 1428 wrote to memory of 4640 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 1428 wrote to memory of 4640 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 4640 wrote to memory of 4564 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4640 wrote to memory of 4564 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4640 wrote to memory of 4760 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4640 wrote to memory of 4760 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4564 wrote to memory of 2180 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 4564 wrote to memory of 2180 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 2180 wrote to memory of 3688 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 2180 wrote to memory of 3688 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 2180 wrote to memory of 5000 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 2180 wrote to memory of 5000 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 3688 wrote to memory of 3848 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 3688 wrote to memory of 3848 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 3848 wrote to memory of 5036 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 3848 wrote to memory of 5036 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 3848 wrote to memory of 896 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 3848 wrote to memory of 896 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 5036 wrote to memory of 2012 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 5036 wrote to memory of 2012 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 2012 wrote to memory of 724 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 2012 wrote to memory of 724 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 2012 wrote to memory of 4756 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 2012 wrote to memory of 4756 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 724 wrote to memory of 4628 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 724 wrote to memory of 4628 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 4628 wrote to memory of 3040 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4628 wrote to memory of 3040 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4628 wrote to memory of 4280 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 4628 wrote to memory of 4280 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 3040 wrote to memory of 1556 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 3040 wrote to memory of 1556 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 1556 wrote to memory of 3512 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 1556 wrote to memory of 3512 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 1556 wrote to memory of 1296 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 1556 wrote to memory of 1296 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 3512 wrote to memory of 2548 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 3512 wrote to memory of 2548 N/A C:\Windows\System32\WScript.exe C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe
PID 2548 wrote to memory of 2004 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe
PID 2548 wrote to memory of 2004 N/A C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe

"C:\Users\Admin\AppData\Local\Temp\5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe

"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\339f9d5f-f6a4-4f42-8559-f1ea24250232.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6677cf2-0df6-4088-bddd-876847e7fa1c.vbs"

C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe

"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d510248-a41e-4bb2-b5b7-b76302271e8d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0a0b4c6-fa98-4677-94a9-b3fe7429a77b.vbs"

C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe

"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85365485-5253-4562-b972-d2a6de079218.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\912fc13c-640e-4048-8cc3-9e889ed04172.vbs"

C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe

"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3828 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d89f672f-5a1b-4482-8275-8aba1f2e72e2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3c4b957-caac-4530-91a1-3ca756222cca.vbs"

C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe

"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\738b0bf3-a914-40dc-8550-4986da63bddd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\472e5f38-9817-4e96-b458-e2d23b4e9114.vbs"

C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe

"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4edb2e65-9b9a-4d8b-a673-806279fdd0c8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50a992fa-6291-473b-8925-fb712b0b9492.vbs"

C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe

"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6e04c06-b76e-42fc-83fa-497a26093f8a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24e91c49-a480-44d0-a0e9-2d79d34addf4.vbs"

C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe

"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58ad5d7c-2af7-48c4-9dd0-4c5bb829862e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de7852ce-0f03-48d6-a3ff-15ab4d554082.vbs"

C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe

"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a72cc85c-0abe-4f4d-8c85-79446a68ecd5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf11b467-07b6-48e0-9d9c-a8614f6c5caf.vbs"

C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe

"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e4199ec-a79e-4f5b-a4b8-fdf1a4b33a34.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8def966-3481-450e-94be-32b2152bcded.vbs"

C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe

"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a322cf6f-4c1f-4a4f-b011-ed9dad23e7a8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ff327be-a2a8-4dcc-877a-88c62dbfaea6.vbs"

C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe

"C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 a0917913.xsph.ru udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 6.192.8.141.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.201.106:443 chromewebstore.googleapis.com tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp
RU 141.8.192.6:80 a0917913.xsph.ru tcp

Files

memory/220-0-0x0000000000D40000-0x0000000001070000-memory.dmp

memory/220-1-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/220-2-0x0000000001810000-0x0000000001820000-memory.dmp

memory/220-3-0x0000000001860000-0x000000000186E000-memory.dmp

memory/220-4-0x0000000001870000-0x000000000187E000-memory.dmp

memory/220-6-0x000000001BF70000-0x000000001BF78000-memory.dmp

memory/220-5-0x0000000003230000-0x0000000003238000-memory.dmp

memory/220-7-0x000000001BF80000-0x000000001BF90000-memory.dmp

memory/220-8-0x000000001BF90000-0x000000001BFA6000-memory.dmp

memory/220-9-0x000000001C2B0000-0x000000001C2B8000-memory.dmp

memory/220-10-0x000000001C2C0000-0x000000001C2D2000-memory.dmp

memory/220-11-0x000000001C3F0000-0x000000001C3FC000-memory.dmp

memory/220-12-0x000000001C3D0000-0x000000001C3D8000-memory.dmp

memory/220-13-0x000000001C3E0000-0x000000001C3F0000-memory.dmp

memory/220-14-0x000000001C400000-0x000000001C40A000-memory.dmp

memory/220-15-0x000000001C410000-0x000000001C466000-memory.dmp

memory/220-16-0x000000001C460000-0x000000001C46C000-memory.dmp

memory/220-17-0x000000001C470000-0x000000001C478000-memory.dmp

memory/220-18-0x000000001C480000-0x000000001C48C000-memory.dmp

memory/220-19-0x000000001C490000-0x000000001C498000-memory.dmp

memory/220-20-0x000000001C4A0000-0x000000001C4B2000-memory.dmp

memory/220-21-0x000000001CA00000-0x000000001CF28000-memory.dmp

memory/220-22-0x000000001C4D0000-0x000000001C4DC000-memory.dmp

memory/220-23-0x000000001C4E0000-0x000000001C4EC000-memory.dmp

memory/220-24-0x000000001C4F0000-0x000000001C4F8000-memory.dmp

memory/220-25-0x000000001C500000-0x000000001C50C000-memory.dmp

memory/220-26-0x000000001C510000-0x000000001C51C000-memory.dmp

memory/220-27-0x000000001C620000-0x000000001C628000-memory.dmp

memory/220-28-0x000000001C630000-0x000000001C63A000-memory.dmp

memory/220-29-0x000000001C640000-0x000000001C64E000-memory.dmp

memory/220-31-0x000000001C760000-0x000000001C76E000-memory.dmp

memory/220-30-0x000000001C750000-0x000000001C758000-memory.dmp

memory/220-32-0x000000001C770000-0x000000001C77C000-memory.dmp

memory/220-33-0x000000001C780000-0x000000001C788000-memory.dmp

memory/220-34-0x000000001C790000-0x000000001C79A000-memory.dmp

memory/220-35-0x000000001C7A0000-0x000000001C7AC000-memory.dmp

C:\Recovery\WindowsRE\System.exe

MD5 1994f3ef2118aeecbb74e6c8976fd47b
SHA1 8f157fc5c2af51db24b66085f29d3c1240be36b2
SHA256 5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA512 48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a

C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe

MD5 fc95f901144b526106036caf9f1d1ded
SHA1 2ea1694dfd32b9cee3ef3adfe9516d4cc3a3c187
SHA256 bba41fcf986afd98eb026246769343704af4bea6628c48920458d93b7fd8d1b3
SHA512 d5595d34c0f3935c99d4db44fe9757ff6e08505fd3c684732490249471282ba89ce2038dde4226fb4b99af28f1da63601f950e8a75a1564329979097c272dfcf

C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe

MD5 51887e615227c67008bfadab603bebf5
SHA1 26f39c55361caa7aff7b9a8112f306857d49fa51
SHA256 8e42f7cf0078439c565313701c38826df01a0295dc46557002800fc22aed30ab
SHA512 439f67faea116c8e238727bea288415373dba52e36d32ab84f299c0a5aea4592a493bcc2a69338fe6c87e83cfb4658a9721816d8db01435d4bc48c9a6e423bd9

memory/2724-57-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/220-58-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/2724-59-0x000000001B370000-0x000000001B380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\339f9d5f-f6a4-4f42-8559-f1ea24250232.vbs

MD5 e282c0f2a04085f2bad54c24750a2d97
SHA1 1cf817fb84e1044deccf3d50526f45c17fe11b6f
SHA256 bb1f7c08c6f4f99a64b3157a56652fc65a9c6faecd61fc58970a5d91bbe9102a
SHA512 f1171b588bb9e2e8f5864990fea11d84e2a49d4e00880bc90c9f6fd08c5bed44539b5bb0072c2be1248542bdfdab65733d7476ae3028472a5bd21839f84df2d9

C:\Users\Admin\AppData\Local\Temp\e6677cf2-0df6-4088-bddd-876847e7fa1c.vbs

MD5 14393366a3dae5945096a73aabb9df98
SHA1 81d81525ffafa9171108156657c07fecb67fa68c
SHA256 f33e16e31fda08b4c56633d2643e969ab3d3ec4e36f15011d8ab297eedf1e54b
SHA512 cc8a24a793dc8541099dbced8f2087f386286e25f208be19848cb2d4d6e2dd9372b0528015fdd8c82765201241cafe3e6078372978b4648c85ac48a606f79c6a

memory/2724-70-0x000000001B2F0000-0x000000001B306000-memory.dmp

memory/2724-71-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

MD5 caa9da90d9bfc2c0fbadbf7eb57d1aae
SHA1 b0237d1cdb8c7fdb6f89e72475dbfb639c025ed7
SHA256 b5c2348671b5ad62cc02ded41adcf1855341bd6d20706bf45d9d68e4cddd4bbd
SHA512 da20485cf87f6e9b95141dea062188b5a2299ff1e1a7f83446afac0d8b70a2d18d02b60b232b2c9e6af5071906dd08f41cf4637379165c1823a9fa9b82d155d8

memory/4448-74-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/4448-75-0x000000001B6D0000-0x000000001B6E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9d510248-a41e-4bb2-b5b7-b76302271e8d.vbs

MD5 5e3b6f2f57c17bd009f69aa6b0101bf2
SHA1 428895342ef1f243ed987d37820de0df393661bb
SHA256 902202307e20a340db0811b2b7be4b596dc52d2e40ed9db752aec79d9ac64f1c
SHA512 dc7199fac8c9e2c77bcbe164291f89aa78ea23f1d029346a53818390f6e03d765809ceb74ac91d2d73f6c1b4dee587df1f38e60c415c7cee7f1026e30a0a530f

memory/4448-86-0x000000001C1B0000-0x000000001C1E0000-memory.dmp

memory/4448-87-0x000000001C170000-0x000000001C186000-memory.dmp

memory/4448-88-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/1968-90-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\85365485-5253-4562-b972-d2a6de079218.vbs

MD5 b6d9454e7f091a945c19dbcbc16b62d5
SHA1 999554d1ae791cd98e125bb0d2e2631a358c9fed
SHA256 9b6a3b13c9245ad7b26d72b7ecd3a2476268062d1c5798e1ff3ed3cb1f251d45
SHA512 62989f14ea1412261d46c462374bee396e7b9d6d41506f093c3a03def8b95f493d4a8c203188460328e481bf9e7b8228569e964cd07b32b2994156f7a1f8acda

memory/1968-101-0x000000001BF50000-0x000000001BF80000-memory.dmp

memory/1968-102-0x000000001BF10000-0x000000001BF26000-memory.dmp

memory/1968-103-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/4552-105-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d89f672f-5a1b-4482-8275-8aba1f2e72e2.vbs

MD5 80eeeed543136ea02f92f70b249366d8
SHA1 0ff8eec60c17b9ad6b8cabc8f9a647c64a3f05c7
SHA256 ab07e5dec14590655a195449a838be56e31c3b625b41c976ba725ddb95c0d5e7
SHA512 3696aec26ac96c069420b67300746587dce13c9492cb0206d14d3b7644c0815e373a43b4968536ff507d18a281f69bc1b498cdfd64e0662fa759322ce1aea1de

memory/4552-116-0x000000001C130000-0x000000001C160000-memory.dmp

memory/4552-117-0x000000001C130000-0x000000001C160000-memory.dmp

memory/4552-118-0x000000001C0F0000-0x000000001C106000-memory.dmp

memory/4552-119-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/4640-121-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\738b0bf3-a914-40dc-8550-4986da63bddd.vbs

MD5 4231cf3e140654456d8b6ee6fdd090bf
SHA1 d3aec9fabc6eab2f5ee31561c90523533067c39f
SHA256 706d98581967680945c12fbde31b48e0157eb52d531b78aabf67553ee90f047a
SHA512 9d25c4ea75288aea26e9654ace6552b5e185f29d22dedc120d9f6848e5f1e7b3932bb490456e5532d42ea34927b32b3ee5b6ff2538b694d17f3a8cbd26bc3361

memory/4640-132-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/2180-134-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4edb2e65-9b9a-4d8b-a673-806279fdd0c8.vbs

MD5 8a866a17e828de3ede4dd7a8a1e73704
SHA1 17b5e532ce974909556e9567b9b5156202fd326a
SHA256 ac6817e548db0c4a3ab2cbbf1ca0d6bf78b96213fc9930a6dfcadcf287a8ec68
SHA512 944edf20b86fc870bff7f7410efb2cd760fd3a35ca6503ed9e8d2c7cf2b383f179fbfebdd26e51c8a9c6bf3f7012543ff5cb5f1d7b4c88be1900b24f11700658

memory/2180-145-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/3848-147-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/3848-148-0x000000001B370000-0x000000001B380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e6e04c06-b76e-42fc-83fa-497a26093f8a.vbs

MD5 ec3c6bacdbb8744a6167449761ca4be0
SHA1 876eb67b3eaa14c1d032610ea6c868adea942954
SHA256 46abbc503ea8b11348891ed5384352c87d657a314f6a36788432cbfab2867dec
SHA512 fe8a39c85de06ba9a13605233291fac94c15d2b659c9d8df91f51265ad811403bd44d91cc59c456c1bad1bec2be1fcad305769f7e87a9e2bb5e658ecb0515cd4

memory/3848-159-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe

MD5 2907c703bb86b3fafda19fb7bbbf7e04
SHA1 874518e030dc491d5c99fedf786ac417caa9332d
SHA256 489584557d708a90ebe304d26c23a104a5ecf83d76dcc2a8698d1d54644704e0
SHA512 89309070a934c1e50764baeb783eb33225f852f9cb940ae9dcc89da3059d31df3324a9d63cc3d060e112691e7616df3fb6ffc4f3bd7b1ea32da67e5ad945388f

memory/2012-164-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/2012-165-0x000000001BD10000-0x000000001BD20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\58ad5d7c-2af7-48c4-9dd0-4c5bb829862e.vbs

MD5 7d8222659db338d9e9096a3cfb832f98
SHA1 fd8459eaafe4158ab3fa1c4a7f8ed98ec244cc95
SHA256 fbc32a15a9e17b9a0f6aaf7fabe1b686ecc6f4e00e7c64d998ba55b92294962a
SHA512 3da3d0579b995564131dd735bc9f33d51bd69bdd2e3494dc42118eb1f9949c359047d4a38971e5007d1bf3eb58d5f784ff91e42f76658a6031b00f73a42e959b

memory/2012-176-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/4628-178-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/4628-179-0x0000000000C30000-0x0000000000C42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a72cc85c-0abe-4f4d-8c85-79446a68ecd5.vbs

MD5 6f71273b1acb978eba1cb1e8593973d2
SHA1 0b9c3ac80cca3dbe326c9914ba61b1f5a602d4e5
SHA256 a2b0ea5ac1375e8dfaf798b654e56aef001a538a183b682be226c5e42b90da94
SHA512 6923caa2ea7f313b35e4656fd424a5ce84726a97690cebcd889822153ae24602f65bcc12b0c207de9a0db7ca60305ead9f4b1214e5d43931352bf1c34cce7d2f

memory/4628-190-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/1556-192-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/1556-193-0x000000001B730000-0x000000001B740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6e4199ec-a79e-4f5b-a4b8-fdf1a4b33a34.vbs

MD5 c036bfd9fe177608db12bab20f4d2410
SHA1 b1d8075c52a8fc5fc5f1af6a762a2866e8dfacd4
SHA256 65527983dea4e831bb68f1f56fabdf2031fd4e9b5807dacb8127c0b34aa15714
SHA512 8209014c72b310fb8fa8e242b76055796133cfc39237654b525193ae2c64a549bffbc8a1d7b8b14aed8957eeaf3b93b3e5429532e9b6b37866760378ed1878e5

memory/1556-204-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

memory/2548-206-0x00007FFCC2140000-0x00007FFCC2C01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a322cf6f-4c1f-4a4f-b011-ed9dad23e7a8.vbs

MD5 ea07f93461180f9734570276a0ee3537
SHA1 8d8ef60b240ea31f020f9a710575435d8d7f9f88
SHA256 b84b9bf436aa044853d3a6421eb41297dc7879a26c5fad7d4727e834392ebde8
SHA512 e21f07682680beff6bb38e7fd76ccd1f5c703d74c400d87e3f032b28510759af1be009cb115e0938d70e4cdb5780f4a3bf6b9c5b17e030103fa320762d269ba1