Malware Analysis Report

2024-11-15 05:49

Sample ID 240513-23gzdahh68
Target 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf
SHA256 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf

Threat Level: Known bad

The file 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

Dcrat family

UAC bypass

DcRat

Process spawned unexpected child process

DCRat payload

Detects executables packed with SmartAssembly

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System policy modification

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 23:06

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 23:06

Reported

2024-05-13 23:08

Platform

win7-20240215-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppCompat\Programs\System.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\AppCompat\Programs\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\AppCompat\Programs\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\AppCompat\Programs\System.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\es-ES\RCX24CF.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\Internet Explorer\es-ES\explorer.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\Internet Explorer\es-ES\explorer.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\Internet Explorer\es-ES\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\Internet Explorer\es-ES\RCX24CE.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Windows\Prefetch\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Windows\AppCompat\Programs\RCX2943.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Windows\Prefetch\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Windows\Prefetch\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Windows\Prefetch\RCX1DD6.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Windows\AppCompat\Programs\RCX28D5.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Windows\AppCompat\Programs\System.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Windows\AppCompat\Programs\System.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Windows\Prefetch\RCX1DD5.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A
N/A N/A C:\Windows\AppCompat\Programs\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\AppCompat\Programs\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\AppCompat\Programs\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\AppCompat\Programs\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\AppCompat\Programs\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\AppCompat\Programs\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\AppCompat\Programs\System.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\cmd.exe
PID 3000 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\cmd.exe
PID 3000 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\cmd.exe
PID 2732 wrote to memory of 604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2732 wrote to memory of 604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2732 wrote to memory of 604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2732 wrote to memory of 1824 N/A C:\Windows\System32\cmd.exe C:\Windows\AppCompat\Programs\System.exe
PID 2732 wrote to memory of 1824 N/A C:\Windows\System32\cmd.exe C:\Windows\AppCompat\Programs\System.exe
PID 2732 wrote to memory of 1824 N/A C:\Windows\System32\cmd.exe C:\Windows\AppCompat\Programs\System.exe
PID 1824 wrote to memory of 2008 N/A C:\Windows\AppCompat\Programs\System.exe C:\Windows\System32\WScript.exe
PID 1824 wrote to memory of 2008 N/A C:\Windows\AppCompat\Programs\System.exe C:\Windows\System32\WScript.exe
PID 1824 wrote to memory of 2008 N/A C:\Windows\AppCompat\Programs\System.exe C:\Windows\System32\WScript.exe
PID 1824 wrote to memory of 1672 N/A C:\Windows\AppCompat\Programs\System.exe C:\Windows\System32\WScript.exe
PID 1824 wrote to memory of 1672 N/A C:\Windows\AppCompat\Programs\System.exe C:\Windows\System32\WScript.exe
PID 1824 wrote to memory of 1672 N/A C:\Windows\AppCompat\Programs\System.exe C:\Windows\System32\WScript.exe
PID 2008 wrote to memory of 1304 N/A C:\Windows\System32\WScript.exe C:\Windows\AppCompat\Programs\System.exe
PID 2008 wrote to memory of 1304 N/A C:\Windows\System32\WScript.exe C:\Windows\AppCompat\Programs\System.exe
PID 2008 wrote to memory of 1304 N/A C:\Windows\System32\WScript.exe C:\Windows\AppCompat\Programs\System.exe
PID 1304 wrote to memory of 2456 N/A C:\Windows\AppCompat\Programs\System.exe C:\Windows\System32\WScript.exe
PID 1304 wrote to memory of 2456 N/A C:\Windows\AppCompat\Programs\System.exe C:\Windows\System32\WScript.exe
PID 1304 wrote to memory of 2456 N/A C:\Windows\AppCompat\Programs\System.exe C:\Windows\System32\WScript.exe
PID 1304 wrote to memory of 2260 N/A C:\Windows\AppCompat\Programs\System.exe C:\Windows\System32\WScript.exe
PID 1304 wrote to memory of 2260 N/A C:\Windows\AppCompat\Programs\System.exe C:\Windows\System32\WScript.exe
PID 1304 wrote to memory of 2260 N/A C:\Windows\AppCompat\Programs\System.exe C:\Windows\System32\WScript.exe
PID 2456 wrote to memory of 2084 N/A C:\Windows\System32\WScript.exe C:\Windows\AppCompat\Programs\System.exe
PID 2456 wrote to memory of 2084 N/A C:\Windows\System32\WScript.exe C:\Windows\AppCompat\Programs\System.exe
PID 2456 wrote to memory of 2084 N/A C:\Windows\System32\WScript.exe C:\Windows\AppCompat\Programs\System.exe
PID 2084 wrote to memory of 2936 N/A C:\Windows\AppCompat\Programs\System.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\AppCompat\Programs\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\AppCompat\Programs\System.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe

"C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Downloads\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Downloads\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Prefetch\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\Sample Videos\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf7" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf" /sc ONLOGON /tr "'C:\Users\Default User\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf7" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\Programs\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\System.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eT93LUFj2H.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\AppCompat\Programs\System.exe

"C:\Windows\AppCompat\Programs\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5270945d-02bb-47fb-9147-e281ee513ae8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beb43163-9a44-4807-b135-220d03952a2e.vbs"

C:\Windows\AppCompat\Programs\System.exe

C:\Windows\AppCompat\Programs\System.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32c61fc4-bda2-40b0-a6bf-f8fc282f5d6e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47c57601-a554-4bc9-98f7-54b5dc5190b5.vbs"

C:\Windows\AppCompat\Programs\System.exe

C:\Windows\AppCompat\Programs\System.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ccef053-b8de-4797-b100-69b52336df52.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7e0b3d7-3103-488e-b27b-b31642f82fda.vbs"

C:\Windows\AppCompat\Programs\System.exe

C:\Windows\AppCompat\Programs\System.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6061930f-22c0-490c-82fa-fdfffdd4fd96.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\735fb628-2ff2-4bc7-8c64-29fb716b1266.vbs"

C:\Windows\AppCompat\Programs\System.exe

C:\Windows\AppCompat\Programs\System.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ab2fbe8-315f-45cd-9d6e-a209062f6039.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52ca0e27-a49d-462c-8b6c-46185301d45b.vbs"

C:\Windows\AppCompat\Programs\System.exe

C:\Windows\AppCompat\Programs\System.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c727d1e-78ec-4ad6-86d3-c0169ef186dc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd85e2e4-2529-40ca-97f2-63c28c2880fe.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0887556.xsph.ru udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp

Files

memory/3000-0-0x000007FEF4E63000-0x000007FEF4E64000-memory.dmp

memory/3000-1-0x00000000002B0000-0x00000000005EC000-memory.dmp

memory/3000-2-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

memory/3000-3-0x0000000000250000-0x000000000025E000-memory.dmp

memory/3000-4-0x0000000000260000-0x000000000026E000-memory.dmp

memory/3000-8-0x0000000000660000-0x0000000000670000-memory.dmp

memory/3000-12-0x00000000006A0000-0x00000000006AA000-memory.dmp

memory/3000-11-0x00000000006D0000-0x00000000006E0000-memory.dmp

memory/3000-10-0x0000000000690000-0x0000000000698000-memory.dmp

memory/3000-9-0x0000000000670000-0x0000000000686000-memory.dmp

memory/3000-7-0x00000000002A0000-0x00000000002A8000-memory.dmp

memory/3000-6-0x0000000000280000-0x000000000029C000-memory.dmp

memory/3000-14-0x00000000006B0000-0x00000000006BC000-memory.dmp

memory/3000-18-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

memory/3000-21-0x00000000023B0000-0x00000000023BC000-memory.dmp

memory/3000-22-0x00000000023C0000-0x00000000023CC000-memory.dmp

memory/3000-30-0x0000000002610000-0x000000000261A000-memory.dmp

memory/3000-34-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

C:\Users\Public\Videos\Sample Videos\lsm.exe

MD5 5e11b7a6246841f5c8dc76aa757e0613
SHA1 44125a86ecdd8fe8cb0261b4ce79b1fc4b61d639
SHA256 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf
SHA512 2d8f81567cf50ec22fb577e01cdf123e2da0a13380691133a3f5e01fb989db37d3ff25fff12e5a3d8cd133d13e96c2bad14ae488ce2689e6fdb050fbb9252cf0

memory/3000-31-0x0000000002620000-0x000000000262C000-memory.dmp

memory/3000-29-0x0000000002600000-0x0000000002608000-memory.dmp

memory/3000-28-0x00000000025F0000-0x00000000025FC000-memory.dmp

memory/3000-27-0x0000000002450000-0x000000000245E000-memory.dmp

memory/3000-26-0x00000000023F0000-0x00000000023F8000-memory.dmp

memory/3000-25-0x00000000023E0000-0x00000000023EE000-memory.dmp

memory/3000-24-0x00000000023D0000-0x00000000023DA000-memory.dmp

memory/3000-23-0x0000000002400000-0x0000000002408000-memory.dmp

memory/3000-20-0x00000000023A0000-0x00000000023AC000-memory.dmp

memory/3000-19-0x0000000002390000-0x000000000239C000-memory.dmp

memory/3000-17-0x0000000000750000-0x0000000000758000-memory.dmp

memory/3000-16-0x0000000000740000-0x000000000074C000-memory.dmp

memory/3000-15-0x0000000000730000-0x0000000000738000-memory.dmp

memory/3000-13-0x00000000006E0000-0x0000000000736000-memory.dmp

memory/3000-5-0x0000000000270000-0x0000000000278000-memory.dmp

C:\Users\Default\Downloads\wininit.exe

MD5 37e91c46e45e78e758a58e5ef1e89540
SHA1 022aae824ef061d0a980e97cc93617f0855d5a3b
SHA256 1f408117b8b53698ee386013f35689b5f52a74d5c5ce6cd59af93cc809f2032c
SHA512 b19b9c9d1f338ee4221572b2d467bac5d4f9f480b9d26993877bc0cc1a93d103182ec7516e7200f987e7b2c17de13e931eaf4da552b72975c3eedb8fa7081861

C:\Users\Default\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe

MD5 f13864417a04a119f5a6f3c0ac00a819
SHA1 588711e6bc6bb30b4a15209b90d44ba49d21a10f
SHA256 7f90c7386cddf9c1dbd68ea560a26c8c5f5b270135a430fd9e275c3b17de2c7f
SHA512 bca7deaca806c54bdc63184b3abf3862f696d165176f9dcb17a221dcff03df32f755f57f6cfb0693e8545f84bb2296d2c076bcfc6e7ce394fa5b05e78ffe866f

C:\Windows\AppCompat\Programs\System.exe

MD5 a504a8ed00d24fe8b8c4aa41f7ca2f43
SHA1 7ca846355ce174493125e4337c9c0ec0fbdd48e6
SHA256 3b14c6d89f54b79b7e1655d0f3cc0e482e1644fbddc38302b1be543f70d16931
SHA512 849a9c1e739023392de6ad881df4ca372e7024c3881d43df47e06e44a465f13fee77709e4cab35eec8f97c3a78f034e2987190a049b0b99c24c10c9f7c59a8f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 44ec6dac6e50baa7165670792cb46a44
SHA1 eeec40bf7e3826459d0de5336314eac5936699f8
SHA256 3771383e1164a3e75b6734edcc92714c9c7eed15f6410065d92fd31fce9daaca
SHA512 956e580d7df73610451e34e9352764dc1d475089c3838677e3b9362ccab5b4d32f290d541ad5f4b6c03846c287269b0a96ef188b8dca4defb8c4d539fd148d47

C:\Users\Admin\AppData\Local\Temp\eT93LUFj2H.bat

MD5 d116a77bfb16306ea909e92dd2b1e6b4
SHA1 fe70a575670fee0a44126022d1090a18d76068dc
SHA256 d595d0b430bf4368aa0ace0b92864b11dbea3e21b519de52fc7adbb282f3f84e
SHA512 0236a7a42d86cac4cf8bae1a27e77e5233b21a696b2c2716942147f97fa78279a614679f5cc48671116d972dbc38e142f6f80c8ba41df629dca2883183b5b124

memory/3000-211-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

memory/1620-179-0x0000000001E60000-0x0000000001E68000-memory.dmp

memory/836-168-0x000000001B610000-0x000000001B8F2000-memory.dmp

memory/1824-219-0x0000000000960000-0x0000000000C9C000-memory.dmp

memory/1824-220-0x00000000024F0000-0x0000000002502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5270945d-02bb-47fb-9147-e281ee513ae8.vbs

MD5 0492d133866c556701c48c50e8be86ff
SHA1 d39bf2dce3dad2ac2772401940811fcd82b5467a
SHA256 c6441ec98c5ed1f783123ef2d610327c1c2a3e4de3b6b4fce4b381cd866d8ec1
SHA512 c71e32283b234a7fbbc030b36c8566ee9f2d02adc651c6c73494c5a3787a46f591b12a571737275e762b7875c6fa4c89a80b00ab2891d1e33f923a0917dca64a

C:\Users\Admin\AppData\Local\Temp\beb43163-9a44-4807-b135-220d03952a2e.vbs

MD5 268741bfff166143c9da4593b7b987d4
SHA1 bf858ae021c630fa881c123d94fc67eba55d1597
SHA256 288a5b13c26f8e4217e1c06c15066ee54ed4e1b8789e5b78bdd7430975961e05
SHA512 8b0b97062fe385b18851ea57b97a95ddcedd932d3b59ca45b01862f71a649d13b6e80258af90ffc98ffebf847ed19a0949bb2dafa7f5a9fbc67e8a166c5e6efe

memory/1304-231-0x0000000001360000-0x000000000169C000-memory.dmp

memory/1304-232-0x0000000000C30000-0x0000000000C86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\32c61fc4-bda2-40b0-a6bf-f8fc282f5d6e.vbs

MD5 f7de4559d09053790396c997cc9455be
SHA1 d838cd52e24da66b31edc5a40cb74e47b15bd758
SHA256 4d10216e0e10390238e11d92de7c6576dbab22294403950d200804a901beaf0e
SHA512 cdc696c94f2e08243b6b38d58c5500928c9920e73f22c43cea2a7495b239f995439ddf59bf4a9a01e4f690dfcab49c7ba12c3bb432e37d5cb618ca98a4d0e0d4

C:\Users\Admin\AppData\Local\Temp\6ccef053-b8de-4797-b100-69b52336df52.vbs

MD5 4990c9f1d9c347c7984c6b0f48333cd3
SHA1 eb7b65e6bddc5e3eac15e78b87d0242e335a2562
SHA256 6a9a6f6f14518b2b71eaf328ce00fe554bf64c1ba8b971334fa6f9f79590a73d
SHA512 d67e29953c4946f84f1024dcbad6eddc205f60001c2c3c2f681529c59ef82950543f6634b479982d8df3c2e4323c8c9597138ade34d4b496e21e14dc4d59c24c

C:\Users\Admin\AppData\Local\Temp\6061930f-22c0-490c-82fa-fdfffdd4fd96.vbs

MD5 902111f841697271cf2db4ed4ac8910f
SHA1 d7d58b720f576178a9c2bf3814123f3364addd4c
SHA256 0ba9497559f358b1d00e258840bbf8148495b51ebc08c47635c368025876ce5c
SHA512 6a961e12caf8a5b823dc06c283c0173d6d655e7d3a4d067a63d0834a0fc1febb346acd6e1ac4f369d61d7d4f97385a3b22b3cf240792dd0126f50ed97cc41f23

memory/860-266-0x00000000000A0000-0x00000000003DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ab2fbe8-315f-45cd-9d6e-a209062f6039.vbs

MD5 77ce10cdb2c5a73029446691bd50c76a
SHA1 52818abfa70422c23c7035588ec4196b13b15f9d
SHA256 0e2885239037989d8436037d309caacc7eee0c5483e9f565287258dfde821979
SHA512 2043ba9c8229a418388d85385e412368d7a8fc8ac5ca04616438ecc6888ffdfbbd957ff31e28b48cdd612f0a3ad12f79aa86d1a6506aeb9ec90a84fbf38f4539

memory/1304-278-0x00000000012E0000-0x000000000161C000-memory.dmp

memory/1304-279-0x0000000000D20000-0x0000000000D32000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 23:06

Reported

2024-05-13 23:08

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Windows Portable Devices\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\IME\IMETC\DICTS\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\7-Zip\Lang\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\WmiPrvSE.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\host\fxr\8.0.2\RCX80C0.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\VideoLAN\VLC\services.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\Internet Explorer\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\8.0.2\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Temp\RCX82D5.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files (x86)\Windows Mail\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\Internet Explorer\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\7-Zip\Lang\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX8B09.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\wininit.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\dllhost.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Temp\RCX8353.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\56085415360792 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\RCX6DB3.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCX7617.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCX8FBF.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX92C0.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\Windows Multimedia Platform\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\services.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\sihost.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\VideoLAN\VLC\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\dotnet\host\fxr\8.0.2\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX8A8B.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\Windows Portable Devices\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\Windows Multimedia Platform\dllhost.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\Windows Portable Devices\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\services.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX7A60.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Google\CrashReports\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\dotnet\host\fxr\8.0.2\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\RCX6DA2.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\RCX7401.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\RCX7412.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\Internet Explorer\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\services.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX7A61.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Temp\wininit.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Google\CrashReports\RCX85E5.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCX903D.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files (x86)\Windows Mail\sihost.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files\Windows NT\Accessories\en-US\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\8.0.2\RCX80B0.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Google\CrashReports\RCX8567.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX9242.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCX7627.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CbsTemp\upfc.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Windows\Downloaded Program Files\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Windows\Speech_OneCore\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\pris\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Windows\IME\IMETC\DICTS\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\pris\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Windows\Speech_OneCore\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Windows\Downloaded Program Files\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Windows\Speech_OneCore\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Windows\IME\IMETC\DICTS\explorer.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Windows\CSC\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Windows\IME\IMETC\DICTS\explorer.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Windows\CbsTemp\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\pris\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Windows\CbsTemp\upfc.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File created C:\Windows\servicing\upfc.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Windows\IME\IMETC\DICTS\RCX783B.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
File opened for modification C:\Windows\IME\IMETC\DICTS\RCX784C.tmp C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Recovery\WindowsRE\WmiPrvSE.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\WmiPrvSE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\cmd.exe
PID 2972 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\cmd.exe
PID 2792 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2792 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2792 wrote to memory of 1568 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe
PID 2792 wrote to memory of 1568 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe
PID 1568 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Recovery\WindowsRE\WmiPrvSE.exe
PID 1568 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe C:\Recovery\WindowsRE\WmiPrvSE.exe
PID 4996 wrote to memory of 3504 N/A C:\Recovery\WindowsRE\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 4996 wrote to memory of 3504 N/A C:\Recovery\WindowsRE\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 4996 wrote to memory of 4672 N/A C:\Recovery\WindowsRE\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 4996 wrote to memory of 4672 N/A C:\Recovery\WindowsRE\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 3504 wrote to memory of 3284 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\WmiPrvSE.exe
PID 3504 wrote to memory of 3284 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\WmiPrvSE.exe
PID 3284 wrote to memory of 4444 N/A C:\Recovery\WindowsRE\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 3284 wrote to memory of 4444 N/A C:\Recovery\WindowsRE\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 3284 wrote to memory of 3208 N/A C:\Recovery\WindowsRE\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 3284 wrote to memory of 3208 N/A C:\Recovery\WindowsRE\WmiPrvSE.exe C:\Windows\System32\WScript.exe
PID 4444 wrote to memory of 3384 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\WmiPrvSE.exe
PID 4444 wrote to memory of 3384 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\WmiPrvSE.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\WmiPrvSE.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe

"C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\root\vfs\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\vfs\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\root\vfs\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\IMETC\DICTS\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\IME\IMETC\DICTS\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\IMETC\DICTS\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Start Menu\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Temp\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Temp\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\CrashReports\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\CrashReports\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nv7qRJ8Umn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe

"C:\Users\Admin\AppData\Local\Temp\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\CbsTemp\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\pris\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\pris\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\pris\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Recovery\WindowsRE\WmiPrvSE.exe

"C:\Recovery\WindowsRE\WmiPrvSE.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb341735-5d96-4d33-ab8c-b6d223bd93cb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cf99b23-3a8d-4f62-acb9-bd7ea0235e47.vbs"

C:\Recovery\WindowsRE\WmiPrvSE.exe

C:\Recovery\WindowsRE\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a5bd386-a884-4ebb-b4d8-df69af331891.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a32cbac8-972a-4df0-b639-b1890d7fc4c6.vbs"

C:\Recovery\WindowsRE\WmiPrvSE.exe

C:\Recovery\WindowsRE\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\369aa7c6-d159-4a5c-8ec3-bebb4e8f5ad5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ba33123-3150-4cac-be7b-54c0a19d2d7c.vbs"

C:\Recovery\WindowsRE\WmiPrvSE.exe

C:\Recovery\WindowsRE\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc4eb19f-47ee-44e7-a069-3e810a6b1ed7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c87b482-e98b-41f3-b9e8-dc20fef1b46f.vbs"

C:\Recovery\WindowsRE\WmiPrvSE.exe

C:\Recovery\WindowsRE\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8206dc9e-1ffd-45dc-9f06-025e1abb8a80.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dfc49b9-65ab-4af0-9156-8f3f64566363.vbs"

C:\Recovery\WindowsRE\WmiPrvSE.exe

C:\Recovery\WindowsRE\WmiPrvSE.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d30e4198-ba8a-4d3d-a7f6-146746088d34.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1531b260-323f-493d-8b6e-eeca1202d024.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 a0887556.xsph.ru udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

memory/2972-0-0x00007FFE98213000-0x00007FFE98215000-memory.dmp

memory/2972-1-0x0000000000780000-0x0000000000ABC000-memory.dmp

memory/2972-2-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

memory/2972-3-0x000000001B6C0000-0x000000001B6CE000-memory.dmp

memory/2972-4-0x000000001B6D0000-0x000000001B6DE000-memory.dmp

memory/2972-5-0x000000001B6E0000-0x000000001B6E8000-memory.dmp

memory/2972-6-0x000000001BD00000-0x000000001BD1C000-memory.dmp

memory/2972-7-0x000000001BD70000-0x000000001BDC0000-memory.dmp

memory/2972-11-0x000000001BD60000-0x000000001BD68000-memory.dmp

memory/2972-12-0x000000001BDC0000-0x000000001BDD0000-memory.dmp

memory/2972-10-0x000000001BD40000-0x000000001BD56000-memory.dmp

memory/2972-9-0x000000001BD30000-0x000000001BD40000-memory.dmp

memory/2972-8-0x000000001BD20000-0x000000001BD28000-memory.dmp

memory/2972-13-0x000000001BDD0000-0x000000001BDDA000-memory.dmp

memory/2972-14-0x000000001BDE0000-0x000000001BE36000-memory.dmp

memory/2972-15-0x000000001BE30000-0x000000001BE3C000-memory.dmp

memory/2972-16-0x000000001BE40000-0x000000001BE48000-memory.dmp

memory/2972-17-0x000000001BE50000-0x000000001BE5C000-memory.dmp

memory/2972-18-0x000000001BE60000-0x000000001BE68000-memory.dmp

memory/2972-19-0x000000001BE70000-0x000000001BE82000-memory.dmp

memory/2972-20-0x000000001C3D0000-0x000000001C8F8000-memory.dmp

memory/2972-22-0x000000001BEB0000-0x000000001BEBC000-memory.dmp

memory/2972-21-0x000000001BEA0000-0x000000001BEAC000-memory.dmp

memory/2972-23-0x000000001BEC0000-0x000000001BECC000-memory.dmp

memory/2972-24-0x000000001BED0000-0x000000001BEDC000-memory.dmp

memory/2972-29-0x000000001C160000-0x000000001C16E000-memory.dmp

memory/2972-28-0x000000001C100000-0x000000001C108000-memory.dmp

memory/2972-27-0x000000001C0F0000-0x000000001C0FE000-memory.dmp

memory/2972-26-0x000000001C0E0000-0x000000001C0EA000-memory.dmp

memory/2972-25-0x000000001C150000-0x000000001C158000-memory.dmp

memory/2972-31-0x000000001C120000-0x000000001C128000-memory.dmp

memory/2972-33-0x000000001C140000-0x000000001C14C000-memory.dmp

memory/2972-32-0x000000001C130000-0x000000001C13A000-memory.dmp

memory/2972-30-0x000000001C110000-0x000000001C11C000-memory.dmp

memory/2972-36-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

memory/2972-37-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\services.exe

MD5 5e11b7a6246841f5c8dc76aa757e0613
SHA1 44125a86ecdd8fe8cb0261b4ce79b1fc4b61d639
SHA256 7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf
SHA512 2d8f81567cf50ec22fb577e01cdf123e2da0a13380691133a3f5e01fb989db37d3ff25fff12e5a3d8cd133d13e96c2bad14ae488ce2689e6fdb050fbb9252cf0

C:\Recovery\WindowsRE\RCX71DC.tmp

MD5 58accecfb6a25549f0b0627bc341c725
SHA1 6fe2f6dd7c1b51be04c9f28ef4ba3907a387c52f
SHA256 4fe757caa0631d0e77a6ed32414aee4816064dc0d6ab7c151f2305611e56d359
SHA512 88c691d0455d3a945bcb1184a6842413564ce919b32b3c8bcf8a9a269193ecd13dddab05aaecd2d038df5d1efe2090022450be1a5d99ff8797c67b3edcd5f21a

C:\Program Files (x86)\Microsoft\Temp\wininit.exe

MD5 ea589dd962c0fdfc5673cbd692b651a9
SHA1 10486fc4ba15a2f19885460b59637ef414d24268
SHA256 ccac0a4093173688e2edc42b3e595f6efff2c3ef90997d83a075ef997122d06b
SHA512 d55d202a69d5ca5d180e03ba3ac7f05fae2c33dea4c63651bfd38450383fa97c561ff45409b043f33353cfd76f4369a381629e84cc430ee221e194255a4c6e28

C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe

MD5 a49e54ff4969e187c9f7df3273ef5133
SHA1 c9bca88e336755f4798dd89dd7a3d065ef809db2
SHA256 2f81451b388925850509e151438a7731a7b43697829c3b98546d8b848a9bf5df
SHA512 ba332dd609ed1b4d83a2b393834738ffe7caad92b6caf62bee9d445d3b8d4b58c98c2c8c516fd273dccc6eb83a35e566b752f2fa3018f9218f1313e052403b32

C:\Program Files\Windows Portable Devices\fontdrvhost.exe

MD5 7de4e29fa1f4e942cee665a0c96b2b8d
SHA1 736546a2709bb364d0993270f2d15e034fa2f918
SHA256 b0688114a8d3176c1cf49a296be40168d4ab052cadc78837c6f690272d61df78
SHA512 4c71491b23e9570efb8edb2463fbf2b07c59f3a80414c8a14d7bc7dd9815a88091ea8a010d16d909361916d687b1a3f55055046075f674cb1964a1ca48e58920

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe

MD5 8f834de5a0bd2a92772a793196fe5b7b
SHA1 bbd3c585b570230bf63b76dca4055f4d39d3b8f6
SHA256 140b35144993dfe6e3c5f3680b1e73b8ed08e04b88d5a4635f8151ac51e4b33f
SHA512 ac70020ea6796ecbc4e0fae5274c6a6a51652f4d84f6184183fb7592f00a31d1072f570db6b144b4d1e6fd649f321ca4d6c95f93151d3d3ba258947eceb44730

memory/2972-292-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

memory/4860-298-0x00000217F0B60000-0x00000217F0B82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q544qyv5.4dx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\Nv7qRJ8Umn.bat

MD5 dcac32fb7b217e552c9431972d164cd2
SHA1 611c94e116b689008e59dff72782938ec479f125
SHA256 6acf85bd3bd2513cd56a2a38c1d6c89952c2c0c5d0134f4f9dc044e2bcc686f1
SHA512 27e32ec29cc1bc0e021064731c5c43f2fa4cab412e690861846259f98fa326f083ff8602d97a5d1fe8f2790d72f8b1e984a61bc19fc0e3d3fdc62c6cefdcd89d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a33f0958be3b70e2e0d5697fcbb02ec
SHA1 e385747e50578f9af695e61a29ed17ee6b3669cc
SHA256 10b105180c5434a302a2b0ece421343304adb161fbc112f3bd58106ce0079786
SHA512 21def95e7c36a3ad7eb73864a6ff8c431713c6ba4f8a6acd450e1f33a12511293c571eb8a8f7bcac41a0af4550b8e49c9dd51d1c6df0516290011d6636e51733

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7eb1b5299df8045f5ac2c50a6bb0886bff3d4bb1d7eac97f4a9890451b0a3eaf.exe.log

MD5 655010c15ea0ca05a6e5ddcd84986b98
SHA1 120bf7e516aeed462c07625fbfcdab5124ad05d3
SHA256 2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14
SHA512 e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

C:\Recovery\WindowsRE\eddb19405b7ce1

MD5 6e219a3081fc2cc16ccdcf3679030ead
SHA1 e4c9d1a4be420b7f50deb20bacf2c8fe377afb15
SHA256 a34c231bc0045018eb8aea8540ae59b796a2ba85754e33b3ad4bf314b10d3345
SHA512 a1f7c85de1d241f2d5a311f4e506eb43e4ac12a476b207a3c4e92b2ec4b21063cd1a8efe0c411a2fb3b2d00b0b0bd1bc33c5eef112a1399ee08c806c2926895c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 caae66b2d6030f85188e48e4ea3a9fa6
SHA1 108425bd97144fa0f92ff7b2109fec293d14a461
SHA256 a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d
SHA512 189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c65338524586fc00cf00e679a7d4a1f4
SHA1 62abf26bfb979dcbf7c7649cf8a681c2a8c7c9ae
SHA256 faa246e6b356f55ad8b18cea908dbf9035f67feaa06f8259d934306e13e88bf6
SHA512 c6721362afa4998c60ff60225a7b7571aaf1dbc8cb624ad7557b365a37df26e629763fa052dc31904b3175587e940d7e0630362620870c2c7351960a14c29310

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 118d5649311b514db219f613211e13a9
SHA1 485cc05e7072d26bf8226062ba1c578d7b30e1c4
SHA256 4fff6897c69cc3e8b9ae3da4d3c221ecbf329a4112d85cb346a4d413b70581dd
SHA512 b458d6703bde28f5d870542c852ad5990592a7a186eb7b4da83b475a94e2d2cdb1105b27d86414708dc613aad902937601d76cedad8304832c4d59ac1c088db4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0f6a77860cd9c5289dd6e45bbc36a982
SHA1 750d55b0d394bc5716fc3e3204975b029d3dc43b
SHA256 a8388051b43fdc7a50ee51047ef4076c4b6502a6e53befe8131efcb71aa700a4
SHA512 e4e4473383243a71d7bebffb8bf4bf449201e1aee752426044e81bdc12c3aaf284ce003a859b0ac96d5fd75063376485dc5b5ac0caad189577bf394f104cdd06

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 47b7b79f57b7b1e83eeac152887ff212
SHA1 2bff47a7face28f57a8db2fa25079a469ff6e0ce
SHA256 cc70fa88d22f3c6b2d548a66e0a46fca5dfefea966cb22ebb0866cb0c5b09104
SHA512 ba4d5b90cfcf75f3abbb3e629d17f3c6b73f175743d7040f29289aca1086ad066c96e20ad97d5153b02b59cdf075e60250cf3002df0a09bb4e9d96e735f82aec

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f034c2130e582c647bfb45a3a835cbdd
SHA1 30b4ddd9ba0ac86a237688b6e5750744ed7e2526
SHA256 c20cda0a4034398dfcbf1bbfea3a2ede33ed18ab57906c4f08e02a40382e1081
SHA512 3a20ea802ae8261f15497173050f76693a15270340c76e27daf3e4959816ecd37aa8cedb2d47141d5f0d17a2cc6c59722d06d156b2e715cfbaa1c6e51fb30269

C:\Users\Admin\AppData\Local\Temp\bb341735-5d96-4d33-ab8c-b6d223bd93cb.vbs

MD5 dbe925ab3cf35eebddb88019bf095e45
SHA1 3673ebf05271ca8e4cbaeb9855e8c34c7771a877
SHA256 3a5ca6ac13730848d10940a4cf46c43c114b616c1996cea2497325957c7d6259
SHA512 829da44c222775018975145941a0c15f1bf5b4d446a6d52f3982740c1cd412fce5558aeb0052bbba24956c59f6704ba9f7cdc87c4c55e113a4cb116f16df4c1b

C:\Users\Admin\AppData\Local\Temp\4cf99b23-3a8d-4f62-acb9-bd7ea0235e47.vbs

MD5 a82b8c617fcbba6f352d66e062b6baee
SHA1 fef8d514c144e273e6e34290b17fbae2df4df59a
SHA256 215ef6c17ce61bf8a5feb3c2af183bec8e2625d9410a77d75d6fe177cb7ce07d
SHA512 522bd0dfac25e2955e57dcac425904c7b32b8645152c796ec7b9250bd17a1f86f47a45397b3bff0dac86ace8e7b176a3249730217bb2ac553a92fd9a62b138a3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

MD5 49b64127208271d8f797256057d0b006
SHA1 b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA256 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512 f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

C:\Users\Admin\AppData\Local\Temp\5a5bd386-a884-4ebb-b4d8-df69af331891.vbs

MD5 716784af61d845eb8ad50be99c5b20b9
SHA1 c9e97c8ca1aa413d28d34f3547b2fc23ceb8414b
SHA256 78ef101b956586c963821e5720860d2c4635fdf9e8fe927a3061f8e03265030c
SHA512 f6d038ec2515cf8a8087385a9537012bd121c70aaff1cbb4d29934b1db8da11b3611e68199f29809f6287ec79e7a260ea90a7a14a7304a1fe71036d99d07ce86

C:\Users\Admin\AppData\Local\Temp\369aa7c6-d159-4a5c-8ec3-bebb4e8f5ad5.vbs

MD5 c30b5addb034f6ab8697b4d2f56902b3
SHA1 b5d5b0953de9633bbe0e11e90e89a472078a0bd8
SHA256 bdee47b68156f38f245bd39b714eb041028af6ee41e7e7a0fb374b9ce9cf4c60
SHA512 cd065a6675b5560a8a4678699d59a784360bd88c94687045807d648392717cba81a96949c78cb579b07d34de2441763d3d3750d3593ae4476d896eb3346a29ac

C:\Users\Admin\AppData\Local\Temp\cc4eb19f-47ee-44e7-a069-3e810a6b1ed7.vbs

MD5 6a2c4d72156b66e78de598fb588c20f4
SHA1 68191e0b35e7c9c9c4dfbe59272737be1b4adeaf
SHA256 3abe41e784fe3c6393fc21a59b332cd18007a81f6f68e5d3f29fad683ad0ab72
SHA512 4d627fb0d9ac4f28b5c53b6e4ecc51ba2c5e4ebc9807381968862ac86c141f9cf5da9bb29f1ba57030f3ddb9ef65a62b2970a9abce0b8225e3a5c9c6149e3c00

memory/4616-699-0x000000001BB40000-0x000000001BB52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8206dc9e-1ffd-45dc-9f06-025e1abb8a80.vbs

MD5 70d5231586208ad7ca40ef3eb3515a54
SHA1 e1a000b2c09cf0bc43f74d88a0112582b43942ee
SHA256 2ff26a7c6fc194f1b6464b2681b5ce44fea5a4601914db0a7fb6d07948d4ba6c
SHA512 c83bf87cced0a32862076780e9fde92345fb58ee1fb1b54c73b71d34264710eb3cbaf0fa358115e3a47987d368ee730c826de9af03dfbf2f9e3aeed4e8a42c08

C:\Users\Admin\AppData\Local\Temp\d30e4198-ba8a-4d3d-a7f6-146746088d34.vbs

MD5 13e5e085bc50296776015071b35b95a8
SHA1 907eaf173b2c191b9eacc56bc3db19846640f4b8
SHA256 5ab0cfe587fa0956165874f4812d38f0365a07a92fc2d2219142c903b4f2857c
SHA512 9bd65a34fd6055c7c1bd1104bc9a457196cac1c6d266f9731e82993fbdf8dba8a2c3b96c4bb70e3fef824528a5bb4fd651db2643f88385f49698898a0f43648b