Malware Analysis Report

2024-11-15 05:49

Sample ID 240513-2zh29shg55
Target 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47
SHA256 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47

Threat Level: Known bad

The file 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47 was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

Dcrat family

DcRat

Detects executables containing bas64 encoded gzip files

DCRat payload

Process spawned unexpected child process

UAC bypass

DCRat payload

Detects executables containing bas64 encoded gzip files

Detects executables packed with SmartAssembly

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

System policy modification

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 23:01

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Detects executables containing bas64 encoded gzip files

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 23:01

Reported

2024-05-13 23:03

Platform

win7-20240508-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing bas64 encoded gzip files

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\taskhost.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\taskhost.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Program Files\7-Zip\Lang\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\RCX283A.tmp C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Windows\SoftwareDistribution\DataStore\Logs\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\RCX3C20.tmp C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 2204 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 2204 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 928 wrote to memory of 1568 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 928 wrote to memory of 1568 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 928 wrote to memory of 1568 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 928 wrote to memory of 3048 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 928 wrote to memory of 3048 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 928 wrote to memory of 3048 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 1568 wrote to memory of 2804 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 1568 wrote to memory of 2804 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 1568 wrote to memory of 2804 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 2804 wrote to memory of 1664 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2804 wrote to memory of 1664 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2804 wrote to memory of 1664 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2804 wrote to memory of 552 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2804 wrote to memory of 552 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2804 wrote to memory of 552 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 1664 wrote to memory of 2852 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 1664 wrote to memory of 2852 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 1664 wrote to memory of 2852 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 2852 wrote to memory of 2696 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2852 wrote to memory of 2696 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2852 wrote to memory of 2696 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2852 wrote to memory of 2836 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2852 wrote to memory of 2836 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2852 wrote to memory of 2836 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2696 wrote to memory of 1760 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 2696 wrote to memory of 1760 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 2696 wrote to memory of 1760 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 1760 wrote to memory of 1632 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 1760 wrote to memory of 1632 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 1760 wrote to memory of 1632 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 1760 wrote to memory of 628 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 1760 wrote to memory of 628 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 1760 wrote to memory of 628 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 1632 wrote to memory of 2148 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 1632 wrote to memory of 2148 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 1632 wrote to memory of 2148 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 2148 wrote to memory of 3064 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2148 wrote to memory of 3064 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2148 wrote to memory of 3064 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2148 wrote to memory of 1772 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2148 wrote to memory of 1772 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2148 wrote to memory of 1772 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 3064 wrote to memory of 1712 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 3064 wrote to memory of 1712 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 3064 wrote to memory of 1712 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 1712 wrote to memory of 2016 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 2016 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 2016 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 3012 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 3012 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 1712 wrote to memory of 3012 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2016 wrote to memory of 2976 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 2016 wrote to memory of 2976 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 2016 wrote to memory of 2976 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
PID 2976 wrote to memory of 2872 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2976 wrote to memory of 2872 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2976 wrote to memory of 2872 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2976 wrote to memory of 2728 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2976 wrote to memory of 2728 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2976 wrote to memory of 2728 N/A C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe C:\Windows\System32\WScript.exe
PID 2872 wrote to memory of 1664 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe

"C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c477" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c477" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c477" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c477" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\audiodg.exe'" /rl HIGHEST /f

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6005f989-f7a9-4055-819d-977900273d66.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb895221-8cc4-4b74-8f2a-04e49e9174d7.vbs"

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba96d3d6-50a6-4b08-af82-7eddc7691df5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5623b9b-fff1-4318-8815-fa267e3c2cb3.vbs"

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07522d8d-6031-4b5b-950c-1a759d2e8288.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8da6832-5614-47b8-8bfe-a24219509948.vbs"

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba27be3a-0622-468f-838b-88eef2bc92f6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fc9ecaf-5aae-4932-ba43-6c8497214311.vbs"

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25a607aa-d346-4672-9626-c059e84bcef7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99ffe88c-8757-45cb-afdb-9aab142937bc.vbs"

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15ba4346-0aba-4a22-89bc-0b33c7cca7d1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef43f8ae-a172-4281-ad4f-32deec5a4441.vbs"

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cc0817e-acb1-4b5a-878e-4ece6bb99ffd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1267f796-d6fc-438d-921f-1b587723bf4e.vbs"

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5168d97-7aaa-4218-8770-fbc36f5fafc7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f5e9975-a8cf-4f96-9267-bb709de46d0f.vbs"

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47e07594-bdcd-4a6e-b15c-17bbfaa171e0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5bcb7c6-d8b1-409f-81a9-466d7a016ec9.vbs"

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd4bc98f-1d37-461e-b4d7-ae9290da89a3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d76cbd0-1849-47c9-9249-18e36dd297be.vbs"

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11408965-a031-45a4-9ddd-1174e1951fa7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbf1ba91-215f-47b3-977d-57ab038a80a9.vbs"

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cff87ea-880f-486c-83a2-108888155b08.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fda90d4-8cfe-4d52-a897-85f577e3d378.vbs"

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac2b3ebf-d625-4c9b-9c61-4ad84d56c72c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3aaada3-b943-4831-acbb-c0956fa2f593.vbs"

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d54acb9-ea33-4fac-92c5-9957f249ba27.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20cdbbdd-36ce-4ca2-b93d-286e19d97e79.vbs"

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0941979.xsph.ru udp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp

Files

memory/2204-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

memory/2204-1-0x0000000001060000-0x000000000119A000-memory.dmp

memory/2204-2-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

memory/2204-3-0x0000000000440000-0x000000000045C000-memory.dmp

memory/2204-5-0x0000000000460000-0x0000000000470000-memory.dmp

memory/2204-4-0x0000000000240000-0x0000000000248000-memory.dmp

memory/2204-6-0x0000000000590000-0x00000000005A6000-memory.dmp

memory/2204-7-0x0000000000470000-0x0000000000478000-memory.dmp

memory/2204-8-0x00000000005B0000-0x00000000005BA000-memory.dmp

memory/2204-9-0x00000000005C0000-0x00000000005CC000-memory.dmp

memory/2204-10-0x00000000005E0000-0x00000000005EC000-memory.dmp

memory/2204-11-0x00000000005F0000-0x00000000005F8000-memory.dmp

memory/2204-12-0x0000000000600000-0x000000000060C000-memory.dmp

memory/2204-13-0x0000000000610000-0x000000000061C000-memory.dmp

memory/2204-14-0x0000000000620000-0x0000000000628000-memory.dmp

memory/2204-15-0x0000000000630000-0x000000000063A000-memory.dmp

memory/2204-16-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

memory/2204-17-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

memory/2204-18-0x0000000000B00000-0x0000000000B08000-memory.dmp

memory/2204-19-0x0000000000B10000-0x0000000000B1A000-memory.dmp

memory/2204-20-0x0000000000B20000-0x0000000000B2C000-memory.dmp

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe

MD5 7b05cf7f9e8162f55d50f10f711df29a
SHA1 6c077351d11f6069067d69b6ece6d0989e972c99
SHA256 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47
SHA512 275b2d3680a92510c0a72c5e369c5c2ca57be94b71e4c668a8be9874b85bf084a6d065973cfce685580ed123adfba95373338c0b2009be86399afcd4c7c1a0d8

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe

MD5 ab847f6f56089b43846bfdab2d546973
SHA1 e3687c95196a50e36952454992f9b2caf40437e9
SHA256 c8c8cc6c7204e50535670740a1a5e91aa63c1c72e6bb61ecc727ed6f3f776f8d
SHA512 db450dbf6bbee41df459cd7a37dfb740a602064e5559b0af66c6334ec67052963759cd7fdf75b31f9cf71e797a5bc7186fa2dd0d6c77804e0f9d141cd7e47a10

memory/928-125-0x0000000000EF0000-0x000000000102A000-memory.dmp

memory/2204-126-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6005f989-f7a9-4055-819d-977900273d66.vbs

MD5 f202e66b3cdfafad2ed7cf973a0105d3
SHA1 4dd3bbc884871ee944da3a8e8e4cfe0f43c3890b
SHA256 14d4d26a32c02770051d68c542dfb6cee97fa621decdf359e598c109fbee1f6e
SHA512 abc49dce47394cdafc04f67b16ddcbdc4bb18de952b74d88adac48d1b0fe6b4661a7dc0c4d0557c4731273edad9294058b106be3e612ed845d9453812f6f3400

C:\Users\Admin\AppData\Local\Temp\cb895221-8cc4-4b74-8f2a-04e49e9174d7.vbs

MD5 14917d3fe5bafe470dd0e0c9e5f616bf
SHA1 7a2650084c6d1c9dbd1b7a9fc7939e2608bc05cd
SHA256 a47ffb174650a7c570727277f79c9e946d2cbbc7955b4b595c8ee4c87d824aa3
SHA512 c98e921749bae148c4fe20e27e72325bfeb8f5f4e358d2cebbe611d0135ee7e8dfac38498dd2bd3bd672fcc2ee05c58a82ff02152f1bbd6f361ec42144c6844c

memory/2804-137-0x0000000000F90000-0x00000000010CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ba96d3d6-50a6-4b08-af82-7eddc7691df5.vbs

MD5 044a06fc903c929e86777b8ebbeb5ffb
SHA1 02c0161bed0f2461637c980e93a623c703ed0e83
SHA256 c3355dfab9bc4e1735450f4238e036b2afcd6f2b78f9ebde3b42b2c2c88a9c96
SHA512 53a4c1419d43ce4b44d362de91d52f56b9ec09e47028e05f2b06bdfdf7c7fb776d8dac84fae53d352aaad490a82978837a87d8233cf78d345fa90bf793e34e63

C:\Users\Admin\AppData\Local\Temp\07522d8d-6031-4b5b-950c-1a759d2e8288.vbs

MD5 715d0544bbb8eaca9bdccfa03b5143e7
SHA1 5624a678fc68cc1a9d636f25a455f6f66ea7ccea
SHA256 abd58ae25c40c288cace17553e97b72e1311161d47b2d08d2498c5f518520da2
SHA512 4c3ee1ae2120d20d5f796cb9f7b000f3316e31147e5cc996952f89cb766f922e289d0e48696828b081c403a5c04ea92f171bee88558aa72dd0ddd661c29ce343

memory/1760-160-0x0000000001210000-0x000000000134A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ba27be3a-0622-468f-838b-88eef2bc92f6.vbs

MD5 aaa969ac0cd09473f1eb5bef6da6d29d
SHA1 e1e1f8c09ffb3355a676248e5d0c252c65c23ade
SHA256 b71fde81a0dc0b5fe9b7a19d23e3860355e1793c892ee3084f3b0a938cdbb53e
SHA512 e343da1c2ed7444ba62cb7662403949e38db7d2cd1ee2ff0d116ffe6bb9a55c578efb25032ccab367702bcdc9850868c5c6ac17e8578d05f17e39e70304e531a

memory/2148-172-0x0000000001240000-0x000000000137A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\25a607aa-d346-4672-9626-c059e84bcef7.vbs

MD5 bbf2c6d6f0892434046c6ffd8ecefaa5
SHA1 9d631090e7841fd01bf971cbcb63c71294083d6e
SHA256 ff776fb5343a99b17d1ffe31cde8d3cb1726f3ca7853dc4d4a6931d8973cc75d
SHA512 b52a6e28875ad46ad2cf634c95b09660effef73ee4658b65385f92c054f47dcfe09c76ab4e5ba078c01d7528543e9ef6db4cd1579ddc72345899427368e396af

C:\Users\Admin\AppData\Local\Temp\15ba4346-0aba-4a22-89bc-0b33c7cca7d1.vbs

MD5 5e0218baa47a2901ba134c328505f9e3
SHA1 2bb64ee2f73d053080274392db8fb0350acdbb06
SHA256 4be23cbdc0c9958d5a96484b97cbffea1b977c9ef5f7c9624228bc571f6416ce
SHA512 da69b3189f8fdd61fc1d30dd36515324127f75151b47753ba8efd8beea764ce3f2c2bf480e8c1e589fc9c4cc05ebb2aed130973e7066a9b4a36afbbb3faa99ee

memory/2976-195-0x00000000013D0000-0x000000000150A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0cc0817e-acb1-4b5a-878e-4ece6bb99ffd.vbs

MD5 c2c1e88dedc126c8adf047c557d21be5
SHA1 d5019e7ae7ec64d815cc03165aedde85b613739b
SHA256 b8f5b03e7320edb988d76fb8cdc9d04ea23ea81334ef9ba336e32f90573696cf
SHA512 5c7f4946eaef2655cb3652f4d15def37881ed1b6a06dd9f9ac035ebb2bf2aee8fd39d5f69fc4cbd2be6a659de586d812104e151da798757c9b1c1eb9371b5216

C:\Users\Admin\AppData\Local\Temp\e5168d97-7aaa-4218-8770-fbc36f5fafc7.vbs

MD5 17927551d5ebd705e83d7bb796d1c0fe
SHA1 f1f79013bb0900bffbc91666eb569777da573fad
SHA256 f65c8c0cb113a2c61be29f640840b0bc8811df6079a05f81be409ce0bba58613
SHA512 5a335e4257a6f2697fb6e5e2e439d3911149f9710ce0013ab666907d5aae8b834c01a39bcecd09bd9382f4c745f603f5ff27197ce30983ecd4633d1ca88ed1c6

C:\Users\Admin\AppData\Local\Temp\47e07594-bdcd-4a6e-b15c-17bbfaa171e0.vbs

MD5 5aecee3885808d1bf02339513168d038
SHA1 fc3bbbefc2972ab5faa21d6e947e5f092ccf5104
SHA256 7de6ee9ba05eb99e46ba6bf7b21946f7d748a66389b8d578a54f85a227c90da0
SHA512 bb8583b4a2206441cfe0b88b0e5007f60cea66893b1fe2d4f5f10301e9cdf86ed852635773e8c4d1428a6fbe273651d4ca754f353538e537856e587f1c8d183d

C:\Users\Admin\AppData\Local\Temp\fd4bc98f-1d37-461e-b4d7-ae9290da89a3.vbs

MD5 76111bb744cb6d49ae4cf05dc7c00b0f
SHA1 329702f1b4f163a761f578a0706985c288ca0ce1
SHA256 851928a7a3ee5694729b0c7e960ed83cf4ed5b5853f3ed9a7cfbcc127262f565
SHA512 82f5cb505b484fea96ac28f142440992233efba3081eb658d350c20de42f1cce9eeceaee786db7e9e323970633733d4a0982455b2c1238c4179cb5a539d9dfb4

memory/2884-240-0x0000000000130000-0x000000000026A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11408965-a031-45a4-9ddd-1174e1951fa7.vbs

MD5 b0cbf2648c4063c3240ad614d8a28c5a
SHA1 ccf3a5606cd18e27181dfe7e915b6b02e33a8ad4
SHA256 fbbe3f330b925376016d4baf833bc2cc1db6e55c7bc9780663f9840ffca96bb9
SHA512 cfbf0fad67d1210ace6b61410fdcb9b12846877c1284684b717b604ed94d9f81f26f4b916d29a4ebe5eaba2156d897950d19fb0b06b4c686def8daab92fbb754

memory/692-252-0x0000000000870000-0x00000000009AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9cff87ea-880f-486c-83a2-108888155b08.vbs

MD5 4d2b63e9b0e8d85831f24f87a1842014
SHA1 c3db2597478f939e3d6073cd9fbaa5f7a7332922
SHA256 ec74b48780bce6602b712f7acea271a10d1aba12f0046cc395714d8c36aeeff8
SHA512 1cee5b6f0fa0401c00c3579f96c49c3636dec7661ce821c30202bf46f87a8479de511e79f41ce85ff0c4f1acf149b07f6d05531b9f9061cde881fc6bc9953c87

memory/1688-264-0x0000000001140000-0x000000000127A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ac2b3ebf-d625-4c9b-9c61-4ad84d56c72c.vbs

MD5 7a96a1ae0c59741c8a5a334ab66064cd
SHA1 0533f84c64330144dda9a341ce9a8986d0c627b2
SHA256 f8d9e1e3e6b8d4b95024c7d19ffbbbab2cd991c1e94855dfdeacca98c62ba8fb
SHA512 a68d827e54c4414f59eca2b52a6cb29bdbc021e766fffe16321015c4ce98ad854d283785e76013d27ccf1769246de6dd71aed07ec5a800b99aced0a6b96860ab

C:\Users\Admin\AppData\Local\Temp\8d54acb9-ea33-4fac-92c5-9957f249ba27.vbs

MD5 3c7eb0fddd49c75da89865e9f1c7160c
SHA1 9ca5095f1334b1b2645b0b54dac4452ad77bc2e4
SHA256 d9bdb1827b3b3376ec8bf19fe7cf3cf7a55c66a50b6202b69443f72354adecea
SHA512 f1d4849948958ae22dad0582e2ee70b4e34767667065b4f872afe54418c290a4de72e3d10ff986544a2244e2a08dfc45a212da88196c1fbe23950c28278e587d

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 23:01

Reported

2024-05-13 23:03

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing bas64 encoded gzip files

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Default User\csrss.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\dllhost.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RCX6952.tmp C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RCX74E0.tmp C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Program Files\Microsoft Office 15\dllhost.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Program Files\Microsoft Office 15\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\RCX6344.tmp C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\InputMethod\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Windows\security\ApplicationId\PolicyManagement\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Windows\GameBarPresenceWriter\RCX5F3B.tmp C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Windows\PolicyDefinitions\Registry.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Windows\WaaS\services\sysmon.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Windows\System\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Windows\PolicyDefinitions\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Windows\CbsTemp\RCX613F.tmp C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\RCX725E.tmp C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Windows\System\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Windows\InputMethod\RCX6DD8.tmp C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Windows\CbsTemp\explorer.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\RCX5B32.tmp C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Windows\System\RCX592D.tmp C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Windows\CbsTemp\explorer.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Windows\System\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Windows\security\ApplicationId\PolicyManagement\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Windows\InputMethod\lsass.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Windows\CbsTemp\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Windows\InputMethod\lsass.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\Registry.exe C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
File created C:\Windows\GameBarPresenceWriter\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Default User\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Default User\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Default User\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Default User\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Default User\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Default User\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Default User\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Default User\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Default User\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Default User\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Default User\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Default User\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A
N/A N/A C:\Users\Default User\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4392 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe C:\Windows\System32\cmd.exe
PID 4392 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe C:\Windows\System32\cmd.exe
PID 3784 wrote to memory of 4624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3784 wrote to memory of 4624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3784 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\csrss.exe
PID 3784 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\csrss.exe
PID 2300 wrote to memory of 3232 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 2300 wrote to memory of 3232 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 2300 wrote to memory of 2376 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 2300 wrote to memory of 2376 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 3232 wrote to memory of 1412 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 3232 wrote to memory of 1412 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 1412 wrote to memory of 2172 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 1412 wrote to memory of 2172 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 1412 wrote to memory of 3344 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 1412 wrote to memory of 3344 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 2172 wrote to memory of 5076 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 2172 wrote to memory of 5076 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 5076 wrote to memory of 1908 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 5076 wrote to memory of 1908 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 5076 wrote to memory of 3272 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 5076 wrote to memory of 3272 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 1908 wrote to memory of 1084 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 1908 wrote to memory of 1084 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 1084 wrote to memory of 1652 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 1084 wrote to memory of 1652 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 1084 wrote to memory of 1756 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 1084 wrote to memory of 1756 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 1652 wrote to memory of 4648 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 1652 wrote to memory of 4648 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 4648 wrote to memory of 408 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 4648 wrote to memory of 408 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 4648 wrote to memory of 2312 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 4648 wrote to memory of 2312 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 408 wrote to memory of 4432 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 408 wrote to memory of 4432 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 4432 wrote to memory of 1408 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 4432 wrote to memory of 1408 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 4432 wrote to memory of 5028 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 4432 wrote to memory of 5028 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 1408 wrote to memory of 5096 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 1408 wrote to memory of 5096 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 5096 wrote to memory of 3064 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 5096 wrote to memory of 3064 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 5096 wrote to memory of 712 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 5096 wrote to memory of 712 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 3064 wrote to memory of 1456 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 3064 wrote to memory of 1456 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 1456 wrote to memory of 4972 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 1456 wrote to memory of 4972 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 1456 wrote to memory of 4832 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 1456 wrote to memory of 4832 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 5076 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 4972 wrote to memory of 5076 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 5076 wrote to memory of 3068 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 5076 wrote to memory of 3068 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 5076 wrote to memory of 3204 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 5076 wrote to memory of 3204 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 3068 wrote to memory of 1840 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 3068 wrote to memory of 1840 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\csrss.exe
PID 1840 wrote to memory of 4572 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 1840 wrote to memory of 4572 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 1840 wrote to memory of 5064 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe
PID 1840 wrote to memory of 5064 N/A C:\Users\Default User\csrss.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\csrss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe

"C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\System\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\System\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\CbsTemp\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\CbsTemp\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Downloads\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\InputMethod\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\InputMethod\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\InputMethod\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xxDhnLNanq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\csrss.exe

"C:\Users\Default User\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a414dbf-5397-4f4f-ada3-ecb35aa923c2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\722535dd-9925-443a-b2bc-e0803ad07851.vbs"

C:\Users\Default User\csrss.exe

"C:\Users\Default User\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22d16109-f7a0-483b-ade4-9363da0fa9eb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8be459a-9e03-4b0d-a677-6fb17dd96bc8.vbs"

C:\Users\Default User\csrss.exe

"C:\Users\Default User\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529b3577-5c0e-4203-845b-d7ed70a8dcdb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\835fb278-9e33-4414-980e-e6b934b69418.vbs"

C:\Users\Default User\csrss.exe

"C:\Users\Default User\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14533410-8406-4b29-a6b4-d838ab77bfb2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7dd2ea87-fd2c-4f87-8b5c-e582763e9efb.vbs"

C:\Users\Default User\csrss.exe

"C:\Users\Default User\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5887cac0-59f8-489c-b4e8-4b6b9901f767.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3568498-3830-4a29-9a4a-d1203feb1f5d.vbs"

C:\Users\Default User\csrss.exe

"C:\Users\Default User\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0582d10-13c4-487f-82f4-0a8ecf98c2e6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c95c64a-4174-4d5a-af47-fbe8253ec2af.vbs"

C:\Users\Default User\csrss.exe

"C:\Users\Default User\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fec20a89-3ef5-426c-a6be-f3c98ca40f24.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2042511e-12dc-49ec-a5ff-9bdddd0f69b2.vbs"

C:\Users\Default User\csrss.exe

"C:\Users\Default User\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb9962c6-39f1-45e4-aee9-c7e531c1eb0f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24b5478f-0f66-46ae-b555-990933997449.vbs"

C:\Users\Default User\csrss.exe

"C:\Users\Default User\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c47d627c-466e-481b-beee-5602e2f50c7b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\836fc1bf-da27-4752-bbed-0c0ab2d2f02e.vbs"

C:\Users\Default User\csrss.exe

"C:\Users\Default User\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ded2a714-455c-45a0-ab48-25c38291836a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4257a2a3-fedf-429e-8f4e-1db5cb67ca44.vbs"

C:\Users\Default User\csrss.exe

"C:\Users\Default User\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80764739-2eb7-4efe-a493-e651a4d57895.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8088d221-530a-4424-b184-73252730254a.vbs"

C:\Users\Default User\csrss.exe

"C:\Users\Default User\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30a80b62-b432-476e-bbd4-d66a7a7ea57e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b421495f-0eb6-4ffe-87a5-e948ea68b4c3.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 a0941979.xsph.ru udp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
US 8.8.8.8:53 33.195.8.141.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp
RU 141.8.195.33:80 a0941979.xsph.ru tcp

Files

memory/4392-0-0x00007FF8EDF53000-0x00007FF8EDF55000-memory.dmp

memory/4392-1-0x0000000000100000-0x000000000023A000-memory.dmp

memory/4392-2-0x00007FF8EDF50000-0x00007FF8EEA11000-memory.dmp

memory/4392-3-0x0000000000A00000-0x0000000000A1C000-memory.dmp

memory/4392-6-0x0000000002490000-0x00000000024A0000-memory.dmp

memory/4392-5-0x0000000002320000-0x0000000002328000-memory.dmp

memory/4392-4-0x00000000024E0000-0x0000000002530000-memory.dmp

memory/4392-8-0x00000000024C0000-0x00000000024C8000-memory.dmp

memory/4392-9-0x00000000024D0000-0x00000000024DA000-memory.dmp

memory/4392-7-0x00000000024A0000-0x00000000024B6000-memory.dmp

memory/4392-10-0x0000000002530000-0x000000000253C000-memory.dmp

memory/4392-13-0x000000001AF40000-0x000000001AF4C000-memory.dmp

memory/4392-12-0x000000001AF30000-0x000000001AF38000-memory.dmp

memory/4392-14-0x000000001AF50000-0x000000001AF5C000-memory.dmp

memory/4392-11-0x000000001AF20000-0x000000001AF2C000-memory.dmp

memory/4392-15-0x000000001AF60000-0x000000001AF68000-memory.dmp

memory/4392-16-0x000000001AF70000-0x000000001AF7A000-memory.dmp

memory/4392-18-0x000000001AF90000-0x000000001AF9C000-memory.dmp

memory/4392-17-0x000000001AF80000-0x000000001AF8E000-memory.dmp

memory/4392-20-0x000000001AFB0000-0x000000001AFBA000-memory.dmp

memory/4392-19-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

memory/4392-21-0x000000001B6D0000-0x000000001B6DC000-memory.dmp

C:\Windows\CbsTemp\explorer.exe

MD5 7b05cf7f9e8162f55d50f10f711df29a
SHA1 6c077351d11f6069067d69b6ece6d0989e972c99
SHA256 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47
SHA512 275b2d3680a92510c0a72c5e369c5c2ca57be94b71e4c668a8be9874b85bf084a6d065973cfce685580ed123adfba95373338c0b2009be86399afcd4c7c1a0d8

C:\Users\Admin\Downloads\fontdrvhost.exe

MD5 d651fb397c8332af137e3a5e7b1f38da
SHA1 47cfdafaeaf943bfd663296628fc1b6d619f09e6
SHA256 d8ca8414c41646b8a3a4d4469fe67fd7efa5bda3b1a69f84c4e402026ca3ff89
SHA512 85406d83d3778ad4effdee1b49bf9fe512caf82f547c3f2ef03c89ea7ad824b12bfd676934295d379dbdd310c31a220aee7e1ffc3da504b469175fc683dafa0a

memory/4392-162-0x00007FF8EDF50000-0x00007FF8EEA11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xxDhnLNanq.bat

MD5 d6c1b6c3152adc0d22c46836251ef924
SHA1 6ae9ae33f51e25400e4651c1717429dd8db3e48e
SHA256 20e0646e6d44230c403c536a4892deaa3d9eb96dcff4790f593e8128d9eb28c7
SHA512 4233e6e87c8db22f20ba0467d648ec656cce133db21a04f176f05a2687d86eb6ff0e67157f28996e68f0cd77175466f96620038a3ba824a45fe1dd98593b6bc9

C:\Users\Admin\AppData\Local\Temp\4a414dbf-5397-4f4f-ada3-ecb35aa923c2.vbs

MD5 db62752106a4f73f564ee4b3a1204d50
SHA1 a9485cc1fad524d7a52fa62d955c9969e4b1d167
SHA256 5296f64f797686f7452769d014e725a19ed2c59bda8c1ae819253ba7e2274f22
SHA512 5df0ae71e30cc990a662fbd8a6b5b94fdde6feadd4951e05e9dfa80b03de539f3b2335eb5295e30f3fe9c3a88b52089d374a8b58725138de904556808103fefd

C:\Users\Admin\AppData\Local\Temp\722535dd-9925-443a-b2bc-e0803ad07851.vbs

MD5 dadd7644ea1ac1edebc7463665ff60b6
SHA1 e1f41ec30047e1e6fdcf74867877fe91deb9a714
SHA256 8200d743934c428bc853bed00c4b8980209211613721a94c258f0926d4a978ad
SHA512 44b643cbc9d7467d0cbfc07e48a63818a88b17fe35133bde2199ece37363731bd5f90b2e840ca1ded25c3b3ed34ecb509af348f0f313895090e743753293c439

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

MD5 3690a1c3b695227a38625dcf27bd6dac
SHA1 c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA256 2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA512 15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

C:\Users\Admin\AppData\Local\Temp\22d16109-f7a0-483b-ade4-9363da0fa9eb.vbs

MD5 3b21a7bcc81df4ddd61a068c1f70c128
SHA1 bcdcc360847a0b8f15629e8ed570318fe4d35673
SHA256 42c9a425c643686175e9b27e548397f7deb718d3911bbb450e670dfbc75cdbe2
SHA512 274ba46a801d0e9b1a5e170104b9a4dcaa06ce78b27734ce6fb8363926aaab5ad302cb3d2b10cadad79ec7220880be74397ded723798718355bbe03fe5e3f26a

C:\Users\Admin\AppData\Local\Temp\529b3577-5c0e-4203-845b-d7ed70a8dcdb.vbs

MD5 02420e1d1f242e38bbbb378337a68e79
SHA1 744827180e81574b464570c7f3eff6250a88d8b7
SHA256 345f67ae25bd73c54d999130aed785f92afe8516a075343e737b8cf3341b9da4
SHA512 11a1597cd3d1e42b1e6333da44526a1befd41f5eaf4abc71924a70a4a69b1fde366ba726c7716615751590de564dfe05c32a10cda6ef92087ba22a9152d769cc

C:\Users\Admin\AppData\Local\Temp\14533410-8406-4b29-a6b4-d838ab77bfb2.vbs

MD5 3da8c8ea3548ee67987baf091ad2c927
SHA1 1b687951804055b5563ca0956ac25e1e9a75f65d
SHA256 1e7f0123c3e269d73506d24e9ab2ed47096d2953fbb33839aced58b4bce0caec
SHA512 2996a3b9ea60929f2a7410f635f038b895a172f8e13da6f3c7e9d4de6e3ce7f03632b9d2e8a6d82f160174648e8715e4d057226b2b978e94e6c7020b98ba4f56

C:\Users\Admin\AppData\Local\Temp\5887cac0-59f8-489c-b4e8-4b6b9901f767.vbs

MD5 a6fd7960f9bf2ab88268bd51b9a6adde
SHA1 276af1d427a107e13b37157296b0f69c60c992ac
SHA256 04cce6a52e3b93b7fa33d88ad3f41f1ffd77f8d1377bd6ab48397bfdf4f39805
SHA512 8a05278c15fcbda0268d293c66fc165502aedf4d8703ec135262e4e0ff6bb0cc5b45e81290ff2ec32a8cd4bf4cbeaf5bab1121689d10459a078c805ee36bbdb0

C:\Users\Admin\AppData\Local\Temp\b0582d10-13c4-487f-82f4-0a8ecf98c2e6.vbs

MD5 495ec54a435532cf6bbecd4fc1550f8a
SHA1 cffc451b6d42bc71f18607d74b2492db80693850
SHA256 6582861e76aace85887b50fef82b37c06a93ecc0aaf0e227bce56f6854e40929
SHA512 960910ab83f2c6d18d2aea7163f79d37c52a7a59d6692bb76dd49d4754921e17b0331f5a2402ac9e5cae663f26e750956ed523f79b865b7337207be17ee7521a

C:\Users\Admin\AppData\Local\Temp\fec20a89-3ef5-426c-a6be-f3c98ca40f24.vbs

MD5 bc8e7a00776d47e0a2ffab4d898ce324
SHA1 b0569291b1befe60117ae71058df51a7fb62d65a
SHA256 c68b8d8b0ed19385d3df374670fa52a3b4b90a0e61b892169d7230c7895c47d7
SHA512 0c88e19f2b5732bf41bca5ee38ed3a86b9446a6132780c81fe49f270fe27a0713aaa742b931b703149fa90eededc72e3a6a806f05338d49b37e5d068caabee07

C:\Users\Admin\AppData\Local\Temp\eb9962c6-39f1-45e4-aee9-c7e531c1eb0f.vbs

MD5 6907344d060fb0ff26749cd9bea2271b
SHA1 22647b51ea0ab0e9c3d9aff71084135bad3041b1
SHA256 9392a254d2947e8f2a0e2c67aa7a28de0111919667367c0490956d8b7a9f7b31
SHA512 5dbc6cc62586111a171ea18e71b37dddd67f22666821a966bba2bc967eabd9b1028ebab8c5efefa2fc1d5fd13d69bdd10ecacaf013df5e857a3f47ff8c95e297

C:\Users\Admin\AppData\Local\Temp\ded2a714-455c-45a0-ab48-25c38291836a.vbs

MD5 b476554b57652ac622431e2926b89bb4
SHA1 8703b6dd5379d2745a194c83b7bcb45763a1f27e
SHA256 3f9f8bf3dcb1a281017bf589620c5ec2e796c39dfeff4d29a9a9bda44f867ab4
SHA512 3218d7ff3292a33c5a125094f3a1f1521116bcc228c5aa6225a08d5d4a68c731d44bbbc607495ca499d8339fba55346f87d3dbcbdaf02b0dbb110a8ee63ee5a2

C:\Users\Admin\AppData\Local\Temp\80764739-2eb7-4efe-a493-e651a4d57895.vbs

MD5 8e231ad69414d430476e0710a3175595
SHA1 82207712e2856310117b54d0e4761a130b96fca6
SHA256 8f4044a710d5782df828d5fe286c55fc6d8c09c3df7e62d0b10d5998d8375a71
SHA512 c66a8e3618628d6b32b916f33cc237d18341a4c8415ccc7b1662e6a87d96a2d389dcd9b57b85c4e4ac2aab9e3498a7886ee2995ee5b76f43d0c5d05c2ad5888a

C:\Users\Admin\AppData\Local\Temp\30a80b62-b432-476e-bbd4-d66a7a7ea57e.vbs

MD5 d151ec444fabedc36bd92648c1fbf193
SHA1 6e9f79b969fe4984e84eaa9636c440feec0784e9
SHA256 537610dbeaae7752cdf6e1255589fd1f75d4b31bfad848c106cfbfa8914e8914
SHA512 1981fa1eefeffbbff18619fde00da102980517bf2e2f78b438a89ee8f69797c06f925c2dfb674ca95156694650663053124955598b610122afb85999a5af2875