Malware Analysis Report

2024-11-15 05:49

Sample ID 240515-f293wabc96
Target fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2
SHA256 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2

Threat Level: Known bad

The file fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2 was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

DCRat payload

Dcrat family

DcRat

Process spawned unexpected child process

UAC bypass

Detects executables packed with SmartAssembly

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 05:23

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 05:23

Reported

2024-05-15 05:25

Platform

win7-20240221-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\RCXB7A1.tmp C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\fr-FR\RCXCCA7.tmp C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File created C:\Program Files\Windows Portable Devices\audiodg.exe C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File created C:\Program Files\Windows Portable Devices\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File created C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\RCXB7A0.tmp C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCXC457.tmp C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\audiodg.exe C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File created C:\Program Files\7-Zip\Lang\csrss.exe C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXC989.tmp C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXCA16.tmp C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\fr-FR\RCXCC1A.tmp C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File created C:\Program Files\Windows NT\Accessories\fr-FR\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\csrss.exe C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCXC4D4.tmp C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\cmd.exe
PID 2648 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\cmd.exe
PID 2648 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\cmd.exe
PID 2420 wrote to memory of 1288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2420 wrote to memory of 1288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2420 wrote to memory of 1288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2420 wrote to memory of 1744 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
PID 2420 wrote to memory of 1744 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
PID 2420 wrote to memory of 1744 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
PID 1744 wrote to memory of 2652 N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Windows\System32\WScript.exe
PID 1744 wrote to memory of 2652 N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Windows\System32\WScript.exe
PID 1744 wrote to memory of 2652 N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Windows\System32\WScript.exe
PID 1744 wrote to memory of 1076 N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Windows\System32\WScript.exe
PID 1744 wrote to memory of 1076 N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Windows\System32\WScript.exe
PID 1744 wrote to memory of 1076 N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Windows\System32\WScript.exe
PID 2652 wrote to memory of 1368 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
PID 2652 wrote to memory of 1368 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
PID 2652 wrote to memory of 1368 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
PID 1368 wrote to memory of 1640 N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Windows\System32\WScript.exe
PID 1368 wrote to memory of 1640 N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Windows\System32\WScript.exe
PID 1368 wrote to memory of 1640 N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Windows\System32\WScript.exe
PID 1368 wrote to memory of 796 N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Windows\System32\WScript.exe
PID 1368 wrote to memory of 796 N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Windows\System32\WScript.exe
PID 1368 wrote to memory of 796 N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Windows\System32\WScript.exe
PID 1640 wrote to memory of 2944 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
PID 1640 wrote to memory of 2944 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
PID 1640 wrote to memory of 2944 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe
PID 2944 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZulfStaN0H.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ba87ecb-5940-4e8e-99b5-c28594552428.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38f2a627-7cef-471d-b9ba-76ada4004ead.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9ff88d6-4078-428f-820d-d181dc812c8b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9a63528-aa9c-4210-a140-02570c0c228a.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d34eee8e-524c-4087-a91e-d65ccab7e45a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b912e0d1-476a-4d1e-9a76-23175d7b3fb4.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc084c79-a470-4d86-930c-d700d3640fdf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5da4343-89e7-4ce4-8f8b-0ff6ad17c0dc.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35ce29fa-6efb-4e8a-a27e-88125fae8067.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32820891-7f20-4536-a645-0b24fa57176c.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e469dcc1-53c4-4778-9dbb-78fc602cc11e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f60a501-32b9-480d-ba19-0600d2faf1d3.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cd5ec01-4606-41ef-9bc8-2f0fc4de7219.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7796154a-93df-48a5-90d2-035d9d1fd528.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c417b61-62ba-4d00-878d-f6c7f03d2c67.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56f45f54-f828-4fbd-840a-ec174146d5bd.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\375815db-b0f5-4f6e-a3db-62422041f877.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9228f5ee-a058-463b-8c2c-682d53753662.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 self-lighting-subpr.000webhostapp.com udp
US 145.14.145.208:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.208:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.208:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.208:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.145.208:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 self-lighting-subpr.000webhostapp.com udp
US 145.14.144.198:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.198:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.198:80 self-lighting-subpr.000webhostapp.com tcp

Files

memory/2648-0-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

memory/2648-1-0x0000000000ED0000-0x000000000120C000-memory.dmp

memory/2648-2-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

memory/2648-3-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/2648-4-0x00000000003E0000-0x00000000003EE000-memory.dmp

memory/2648-5-0x00000000003F0000-0x00000000003F8000-memory.dmp

memory/2648-6-0x0000000000510000-0x000000000052C000-memory.dmp

memory/2648-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2648-8-0x0000000000530000-0x0000000000540000-memory.dmp

memory/2648-9-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2648-10-0x0000000000560000-0x0000000000568000-memory.dmp

memory/2648-11-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

memory/2648-12-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

memory/2648-13-0x0000000000D70000-0x0000000000DC6000-memory.dmp

memory/2648-14-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

memory/2648-15-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

memory/2648-16-0x0000000000B60000-0x0000000000B6C000-memory.dmp

memory/2648-17-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

memory/2648-18-0x000000001AA70000-0x000000001AA82000-memory.dmp

memory/2648-19-0x000000001AAA0000-0x000000001AAAC000-memory.dmp

memory/2648-20-0x000000001AAB0000-0x000000001AABC000-memory.dmp

memory/2648-21-0x000000001AAC0000-0x000000001AACC000-memory.dmp

memory/2648-22-0x000000001AAD0000-0x000000001AADC000-memory.dmp

memory/2648-23-0x000000001AAE0000-0x000000001AAE8000-memory.dmp

memory/2648-24-0x000000001AAF0000-0x000000001AAFA000-memory.dmp

memory/2648-25-0x000000001AB00000-0x000000001AB0E000-memory.dmp

memory/2648-27-0x000000001AB20000-0x000000001AB2E000-memory.dmp

memory/2648-28-0x000000001AF00000-0x000000001AF0C000-memory.dmp

memory/2648-26-0x000000001AB10000-0x000000001AB18000-memory.dmp

memory/2648-29-0x000000001AF10000-0x000000001AF18000-memory.dmp

memory/2648-30-0x000000001AF20000-0x000000001AF2A000-memory.dmp

memory/2648-31-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

memory/2648-32-0x000000001B130000-0x000000001B13C000-memory.dmp

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe

MD5 438789fc2753a3a41d1704542bf93769
SHA1 81a6c969c14fc47a15d2574cfb63dee2cbcbf12c
SHA256 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2
SHA512 c2ae311e1d852759bcfcc3ad0d0daac2e702a8f95065ce71f6eb104d116cadcbacb6b775c0b646d5f57ec1d2463d3c1749803b1416caa75de5b30a03430e329c

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe

MD5 60e4f641688b2f4359d3fac826d1a199
SHA1 9bee2792188e7295cf751d97352f131248d4fe1e
SHA256 3b728f74657834fca6750373d3b7c656f579c8dfccd4723e701d2d8ab64cdf6d
SHA512 84206d85790b8672df8e43d1cb31b613cb938dfd8c30046dea17c3b4dbcc4f215dffaeb376aaeae9604cd789fca43714ffccd1bb353323b8016f949c43d87041

C:\Program Files\Windows Portable Devices\audiodg.exe

MD5 71426b5d75999b9cf0e9c103197c08c9
SHA1 319845464554dfd87365487f54b6bb8500edc4b6
SHA256 169155d69cc77f53659647c1081ecc5a2cc88e9953f81e060f95bf6d73f3e8d2
SHA512 2ce7d09b2004227e839ab70c5fa961c7cf634929fc98c03d106f668e24e46d1b6f32b6913b7a4af72658309ae4dcb5e2a7d1451473eeabba37ef877f203b5418

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe

MD5 749daae6606bc774af81edcff23d833b
SHA1 8ff78bb25516f657866a0165ba7f6f628c995485
SHA256 5bd6a0f6e337a46d1a630e1b80fc35f94e448dc7809cfd0ea906dcd1adf045d6
SHA512 704e05c520803712ef19da7af200b375bd4b991e9ef7aa8a898aa9832ccebf196f468487321ac1037a0bd65e958ddec0815907454fc9a9218914e37380dc6af7

C:\Program Files\Windows NT\Accessories\fr-FR\explorer.exe

MD5 919c134f4a1609c03d12346bafd0c477
SHA1 0492532a5e7b2aaf43b8ee90d322a0837f070a65
SHA256 8afb1a06f73741269d3a7503b4dc9457761b87f984662643beec753f48e851a7
SHA512 ba892d002686265dd59374f3c07602c5ba64e2fff119b72ce9ec72298807db1cd684f31cf928d0f92e091db8daf243d327fc20ac312452c184fb2b0a2910e37c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0f9e54f32bc40170c3f7b2d24e3cc207
SHA1 2b65591f3f1135405a3c64e8f429028895d9a113
SHA256 0dcdbbeba1690cbb792e1845c02a8de2c80b3fbd120a7944f72182a7bac39b6d
SHA512 6bf40f4106429e3a5b88da196266166557c3b0465be3550045ce6cbeb9bbad30578b28b96e4b929ace1314dff97d1ab22d9c7cce786422cbf02deddd486a9247

memory/2520-200-0x000000001B210000-0x000000001B4F2000-memory.dmp

memory/2488-206-0x0000000001F40000-0x0000000001F48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZulfStaN0H.bat

MD5 c1a19ccf2aa8d88f6f365cfd2547f516
SHA1 74713e9d55b05b1b2c61d5474c213ee7646d254f
SHA256 1ff928749c2a6499bb57f96e0164ffb8be19cb00653dca7cc9b6bac0dc0fbf21
SHA512 5d4f3ff110f442910382e00c783b3c7958e8493677b9144467fce0c6dd4bb731c71ab7f127a2aeab784c7d5571457ad68827f1d1d306a13452bdcd81c201a656

memory/2648-208-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1744-242-0x0000000000150000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ba87ecb-5940-4e8e-99b5-c28594552428.vbs

MD5 00d4d9e1de1097dfabff299dfc0e3629
SHA1 ab218433e1eafa3d6e68fceed5ec83f18d604cb4
SHA256 812a358fa3397570aec1f135edff46404579e56edfdd155d6b04717827f405da
SHA512 d95bc8931aeb7fc2727ce1417b91eff92ab7713f6a61a9b8e5e6ba283c22db5c3452a422f0902fdc743f9289cb489f346e19fb9546f8673d01758be76d48f105

C:\Users\Admin\AppData\Local\Temp\38f2a627-7cef-471d-b9ba-76ada4004ead.vbs

MD5 10303bc69fa8240d20cf5411ed9f08d2
SHA1 f9ce752d2017e8ea9b4c2ffaf7b52e6deb8dcbb9
SHA256 6e21f2ccae98936d1bfaaf865f5b222a32f3ed364a48229d985245bee85afee9
SHA512 c7375740505967e759231bec896e8327c4763d80cfd87eb374f1e0b1ecb6148f36aba687a957a7eaf783ce5cdca276e68ad06604bd5bc47dc4f0550b969d5eda

memory/1368-253-0x0000000001040000-0x000000000137C000-memory.dmp

memory/1368-254-0x0000000001030000-0x0000000001042000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f9ff88d6-4078-428f-820d-d181dc812c8b.vbs

MD5 9d7fe2321ed6d6284dc0b9e038fa3aec
SHA1 f5dd74d9d5717324535d858dfd1275eceb26d7d1
SHA256 c1f1657f9bfd71022a44d2cbf9a817da933872e82ebfe04de0489e64332767ef
SHA512 4d32babdd81156949025df111049a744200a1b7c286690bcc1f75827c337d7cd81ce23f9123d7ff02ad62d0096e77c59e8762c9480765ad818c355c9efc1bef6

memory/2944-266-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d34eee8e-524c-4087-a91e-d65ccab7e45a.vbs

MD5 7e3ddd3047c8b776e128e14beb7c46ed
SHA1 e47c0d9956f6beb72cbb8bef4c2c2015891ddbb1
SHA256 5f1e1f425d87bc945abbe9f4912fc2f6540d8952a4969b211b0f5bc5d3f14573
SHA512 1139ac45e1cf1e26733d8e1dbf52900b7461351afda27c5e38c7076a21e52a65b2e67918b3a8c84b0ff9a72e4b6ff970483ddef8e99785eb22a8be8bdd5a4057

C:\Users\Admin\AppData\Local\Temp\fc084c79-a470-4d86-930c-d700d3640fdf.vbs

MD5 9a97b45e5fdb92ca10bccec669bb1b6a
SHA1 2f0e201465fe4d95b0678f229fb93fb22967d7b5
SHA256 8c303c0a32929cbd6be14474ca3a76afdba8e570d655eddcffcd1a9fafdfe10a
SHA512 6096a197ad4994a6f6b1fcfeff9193e7ff492b1d6a76c63c5208d518e5d7abe1027ffbacaa15f3453953bc3a7793455d697106fad3c7cce2522158f77010bc19

C:\Users\Admin\AppData\Local\Temp\35ce29fa-6efb-4e8a-a27e-88125fae8067.vbs

MD5 6ab9904c4d9fd634d5a056d4916efb96
SHA1 9f0b254940aa44674e15b0f69e01bbc0bab44d08
SHA256 7550b8db0d3e18fe1c911019eb96131f97733f2874b0e8641d04a5817bec0a2f
SHA512 d0a7341b425e776e05d6ce4a58e76943aad7a9319c65911058b03408f81efa34b998731b88292b16f671a4018dce613be0dd0f690300d4d6635cbfb9e2fb7354

C:\Users\Admin\AppData\Local\Temp\e469dcc1-53c4-4778-9dbb-78fc602cc11e.vbs

MD5 fdfbbf4d02a9b20da56338041af9571c
SHA1 7375fd808379b91c3e1a6cd83403101659f84e10
SHA256 91860b4f3a1046a68feb6bc9f474ea6a5097790e5f626392a8e0412ea60810b0
SHA512 98415bbdeb343cdb287bb08e0d458c681fe5b0a3bb5f26b03ba5aa7be0b195e160a1f50f5a5cfe07ac3141687e9f3ef30e904978a19ba84e3ef4d69b787b5dfa

C:\Users\Admin\AppData\Local\Temp\2cd5ec01-4606-41ef-9bc8-2f0fc4de7219.vbs

MD5 7ac4f0fe7b64c0f85c8ab335ec7ff105
SHA1 7360f81176c38ab2df7100f458a0cb949cb83cfb
SHA256 b77c6967198fd38b3120f812d9772d2b866961d11a5a86b156e6d26cf2df7cc6
SHA512 369d5e4baada2e36a75fbb62a39b7ab5302eb879e7ee9907458b34c7dfb480486c1f0117a0be2e9ace680f04e1c7a484bce85dd1d592ae4a572a8326dc1e22bf

memory/804-322-0x0000000001350000-0x000000000168C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1c417b61-62ba-4d00-878d-f6c7f03d2c67.vbs

MD5 f2dfbea51ed6b3095e63a93b63c1177a
SHA1 cd3ba5650272afee57c65c6a34c101eb3cbfc4d2
SHA256 8b12ebd3d9e2538c6981e34dab3672d0d9e896ee1f64a3a453bb51633ce98dfb
SHA512 f5b58211b8714d2d9d7d7ad981b364990c116e239903612dd2c06d12eecf7be2f7238fca4efb766e3fbeb37bcf6f6c951d978703ad6962d2ce3e00a27fdbfa1d

C:\Users\Admin\AppData\Local\Temp\375815db-b0f5-4f6e-a3db-62422041f877.vbs

MD5 0c88e1125e2e075cffd6a30744b1698c
SHA1 af466f851db31ffcf8857db943e80fa45f0ba4bc
SHA256 fc142352c5366c0a4ea12449c0d55a932556fe188df35bce98295254db59e198
SHA512 5522f1005bab30082f0800784962b289680d521d080f6226ee0a7b7e79da9b0426eef1322bdcebda8e7825528e4335af64ef94c97a52ba879f83205de428337b

C:\Users\Admin\AppData\Local\Temp\ca1033d37860b7102ff60b8f8b730d81674a1cfb.exe

MD5 7300e57d231fce9f16f15085540f8246
SHA1 37c8b4127eac2c7f744d016d1376cda68e4aad5b
SHA256 0cd54d02aa25982056b8a47df0fdc1af8904f1060bd7aeb922c8b83be1b54fe2
SHA512 dc050385d1aa8051f0da2976772a766caa6d4a77105e42bdf409f3a15d6c7e7366cd0aa537152b85e8a556e1bd4746e2700a6284aacd33a26bb58acfa9f697ef

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 05:23

Reported

2024-05-15 05:25

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File created C:\Program Files\ModifiableWindowsApps\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RCX4ADA.tmp C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RCX4ADB.tmp C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File created C:\Windows\Offline Web Pages\9dc782f1c4282e C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Windows\Offline Web Pages\RCX54A6.tmp C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Windows\Offline Web Pages\RCX54A7.tmp C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
File opened for modification C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3452 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
PID 3452 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
PID 4080 wrote to memory of 3748 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 4080 wrote to memory of 3748 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 4080 wrote to memory of 1160 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 4080 wrote to memory of 1160 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 3748 wrote to memory of 1492 N/A C:\Windows\System32\WScript.exe C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
PID 3748 wrote to memory of 1492 N/A C:\Windows\System32\WScript.exe C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
PID 1492 wrote to memory of 1524 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 1492 wrote to memory of 1524 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 1492 wrote to memory of 2924 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 1492 wrote to memory of 2924 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 1524 wrote to memory of 1540 N/A C:\Windows\System32\WScript.exe C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
PID 1524 wrote to memory of 1540 N/A C:\Windows\System32\WScript.exe C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
PID 1540 wrote to memory of 704 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 1540 wrote to memory of 704 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 1540 wrote to memory of 1532 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 1540 wrote to memory of 1532 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 704 wrote to memory of 3296 N/A C:\Windows\System32\WScript.exe C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
PID 704 wrote to memory of 3296 N/A C:\Windows\System32\WScript.exe C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
PID 3296 wrote to memory of 2620 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 3296 wrote to memory of 2620 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 3296 wrote to memory of 5012 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 3296 wrote to memory of 5012 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 2620 wrote to memory of 400 N/A C:\Windows\System32\WScript.exe C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
PID 2620 wrote to memory of 400 N/A C:\Windows\System32\WScript.exe C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
PID 400 wrote to memory of 432 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 400 wrote to memory of 432 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 400 wrote to memory of 4092 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 400 wrote to memory of 4092 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 432 wrote to memory of 1552 N/A C:\Windows\System32\WScript.exe C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
PID 432 wrote to memory of 1552 N/A C:\Windows\System32\WScript.exe C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
PID 1552 wrote to memory of 2772 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 1552 wrote to memory of 2772 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 1552 wrote to memory of 1992 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 1552 wrote to memory of 1992 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 2772 wrote to memory of 1752 N/A C:\Windows\System32\WScript.exe C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
PID 2772 wrote to memory of 1752 N/A C:\Windows\System32\WScript.exe C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe
PID 1752 wrote to memory of 4788 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 1752 wrote to memory of 4788 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 1752 wrote to memory of 624 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe
PID 1752 wrote to memory of 624 N/A C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Users\Admin\AppData\Local\Temp\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2f" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2f" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94b9ac9d-f132-4d58-9ecb-ec50f858cd71.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6081d05-8b05-47c0-a46d-83ba77d8c8ab.vbs"

C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\748fa5cc-c786-4068-9469-39034a9fc335.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d700e0af-cbb3-4724-8d34-c81ee8a7e1d4.vbs"

C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a5d2af0-8211-4e8d-90bf-c8bf40b0788b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a8d8aa3-111f-43d8-a767-b82fb38cff7a.vbs"

C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87e2794b-aefb-47b4-9fc3-3c4adc76c8f8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\412dc657-5bbb-41b9-954e-2128d21e6a4e.vbs"

C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\633a59a5-8277-42e2-9a2c-0801d19472e8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18638d66-21fd-409e-80d6-7d1bf10bbbd6.vbs"

C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6115834b-1760-4d3e-bcb4-d1c3d2a213ef.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7a81244-ab1f-42db-bcbc-552e353ec3aa.vbs"

C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa7bddee-3c78-4a61-8f55-81f010c028c5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06c3dbe2-d1e8-41d7-8452-15b47fdb8cda.vbs"

C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0bd3e5a-7c74-4fe2-9014-1170511a2778.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a72c44a-71bf-48af-b189-a1f9a37d0859.vbs"

C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6af9a5f4-26ab-4380-80c4-1e19bfb923cd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd82a305-9143-41d4-bdd4-6bc2b71597eb.vbs"

C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3151bcac-f861-4e5d-923a-3f0a07258169.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1f10f9c-ffb4-45c2-afd4-eee2bef78270.vbs"

C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23309f03-b20b-44ef-b564-77bdaa6286fd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69feadab-9f6a-4f04-ac8b-dcc2426839c4.vbs"

C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d72b2557-c752-46af-9c39-c912e5a6f26e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9038a684-e8f3-4b42-b603-7017b5e3adfb.vbs"

C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cb166df-8172-4e72-b79f-eced626f5086.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a3135fe-9e62-474b-955b-d962480954a0.vbs"

C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6eba04d-9983-4f38-a586-25804533dd7c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d9f0946-75e1-454e-b9c0-89adc782f254.vbs"

C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe

"C:\Windows\Offline Web Pages\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 200.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 self-lighting-subpr.000webhostapp.com udp
US 145.14.144.155:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 155.144.14.145.in-addr.arpa udp
US 145.14.144.155:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 145.14.144.155:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.155:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.155:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 145.14.144.155:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 self-lighting-subpr.000webhostapp.com udp
US 145.14.144.61:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 61.144.14.145.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 145.14.144.61:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.61:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 145.14.144.61:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.61:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.61:80 self-lighting-subpr.000webhostapp.com tcp
US 145.14.144.61:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 self-lighting-subpr.000webhostapp.com udp
US 145.14.144.126:80 self-lighting-subpr.000webhostapp.com tcp
US 8.8.8.8:53 126.144.14.145.in-addr.arpa udp

Files

memory/3452-1-0x0000000000840000-0x0000000000B7C000-memory.dmp

memory/3452-0-0x00007FFFD5833000-0x00007FFFD5835000-memory.dmp

memory/3452-2-0x00007FFFD5830000-0x00007FFFD62F1000-memory.dmp

memory/3452-3-0x0000000002CA0000-0x0000000002CAE000-memory.dmp

memory/3452-4-0x0000000002CB0000-0x0000000002CBE000-memory.dmp

memory/3452-5-0x000000001B7A0000-0x000000001B7A8000-memory.dmp

memory/3452-6-0x000000001B7B0000-0x000000001B7CC000-memory.dmp

memory/3452-9-0x000000001BDF0000-0x000000001BE00000-memory.dmp

memory/3452-8-0x000000001BDE0000-0x000000001BDE8000-memory.dmp

memory/3452-7-0x000000001BE30000-0x000000001BE80000-memory.dmp

memory/3452-10-0x000000001BE00000-0x000000001BE16000-memory.dmp

memory/3452-11-0x000000001BE20000-0x000000001BE28000-memory.dmp

memory/3452-12-0x000000001BF80000-0x000000001BF90000-memory.dmp

memory/3452-13-0x000000001BE80000-0x000000001BE8A000-memory.dmp

memory/3452-14-0x000000001BE90000-0x000000001BEE6000-memory.dmp

memory/3452-15-0x000000001BEE0000-0x000000001BEEC000-memory.dmp

memory/3452-16-0x000000001BEF0000-0x000000001BEF8000-memory.dmp

memory/3452-17-0x000000001BF00000-0x000000001BF0C000-memory.dmp

memory/3452-18-0x000000001BF10000-0x000000001BF18000-memory.dmp

memory/3452-19-0x000000001BF20000-0x000000001BF32000-memory.dmp

memory/3452-20-0x000000001C4C0000-0x000000001C9E8000-memory.dmp

memory/3452-21-0x000000001BF50000-0x000000001BF5C000-memory.dmp

memory/3452-22-0x000000001BF60000-0x000000001BF6C000-memory.dmp

memory/3452-23-0x000000001BF70000-0x000000001BF7C000-memory.dmp

memory/3452-24-0x000000001BF90000-0x000000001BF9C000-memory.dmp

memory/3452-25-0x000000001C1A0000-0x000000001C1A8000-memory.dmp

memory/3452-30-0x000000001C1E0000-0x000000001C1EC000-memory.dmp

memory/3452-31-0x000000001C230000-0x000000001C238000-memory.dmp

memory/3452-29-0x000000001C1D0000-0x000000001C1DE000-memory.dmp

memory/3452-28-0x000000001C1C0000-0x000000001C1C8000-memory.dmp

memory/3452-27-0x000000001C1B0000-0x000000001C1BE000-memory.dmp

memory/3452-26-0x000000001C2B0000-0x000000001C2BA000-memory.dmp

memory/3452-32-0x00007FFFD5830000-0x00007FFFD62F1000-memory.dmp

memory/3452-34-0x000000001C250000-0x000000001C25C000-memory.dmp

memory/3452-33-0x000000001C240000-0x000000001C24A000-memory.dmp

memory/3452-37-0x00007FFFD5830000-0x00007FFFD62F1000-memory.dmp

C:\Recovery\WindowsRE\RuntimeBroker.exe

MD5 438789fc2753a3a41d1704542bf93769
SHA1 81a6c969c14fc47a15d2574cfb63dee2cbcbf12c
SHA256 fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2
SHA512 c2ae311e1d852759bcfcc3ad0d0daac2e702a8f95065ce71f6eb104d116cadcbacb6b775c0b646d5f57ec1d2463d3c1749803b1416caa75de5b30a03430e329c

C:\Recovery\WindowsRE\RuntimeBroker.exe

MD5 40721fa66267a40b1014615daa6ad230
SHA1 0615ff6d43e94a1de619d3bbe0ccb827cf7f0d5f
SHA256 d3ad27d54ee053b638694c0a56cd0f3102543c94a2d2a03fe114746b48483c8d
SHA512 2d6ff3abfd27438d005786aea57592b2414a59e21bdba64f942332375de2c061164d3542df9a1194dbe96e93de3aba25662a8c7431fcc37b7e0906803e0c7d9f

C:\Recovery\WindowsRE\smss.exe

MD5 96478b98110e190884150a10eb3bcaa1
SHA1 e29401b4944b0e1c142145a856cdf0137a52e0d9
SHA256 f5cd6b3675740cc78c7e3432af17bcf82e8b0bbd69a6a8c69471005147587780
SHA512 ec8eba96edfdec64a962f06349833cde489fd6a24fe1b4aab53bf97c0e72d118f20129474f512c62d670a6dd7b3f19783855a06b5f9c77ce69e9d54ee19730aa

memory/920-195-0x0000024E34F70000-0x0000024E34F92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_114vg5xi.zli.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3452-297-0x00007FFFD5830000-0x00007FFFD62F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

memory/4080-319-0x000000001BF30000-0x000000001BF42000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Temp\94b9ac9d-f132-4d58-9ecb-ec50f858cd71.vbs

MD5 3a9a58e4b48416a0973387a4ee0a2446
SHA1 060ea620022fca3c5a422582998413670b910c0e
SHA256 deaf1f5a1c4497ad7a3f05df8696c5c6a09bafb74da2190f0a6afcb48563aec7
SHA512 15193de5ada2a944aa0dee365fad24af17513bae06bc846076c2e546a4a7865bdbd01fcf06bb7d3aab966b79ee6a41adf4f0e913a95eea68ed2dbe9d5e9c8d79

C:\Users\Admin\AppData\Local\Temp\c6081d05-8b05-47c0-a46d-83ba77d8c8ab.vbs

MD5 e5828c3b884203dd5e6f4a13896774c3
SHA1 71b7f55eea0da9182888aeaf5c010bacdaef0096
SHA256 12910d4c48b1d8f91906cdc1ee8d9051c91144a20e57fae68f0e38612c181e11
SHA512 d69572a7aea07d454d72ae316112714eb567ea2504b34b4b8e5142b47b839becdc4022111799794835c22cf17ed66d55e38470627ce09124c7ff822e46e7f31e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fe19b21819601fec7281be0f74c46c321b2c8115af1ba7e66e490863e4c240a2.exe.log

MD5 655010c15ea0ca05a6e5ddcd84986b98
SHA1 120bf7e516aeed462c07625fbfcdab5124ad05d3
SHA256 2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14
SHA512 e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

C:\Users\Admin\AppData\Local\Temp\748fa5cc-c786-4068-9469-39034a9fc335.vbs

MD5 23c35a8e2d2320db1623efadf69ff3b4
SHA1 0940662f6a0c563b872be1581b6b71ac3ff83762
SHA256 012808503e876492f853d35f75f5064dcb3306721d86cee43a0ed48d3036b557
SHA512 a2734b735e55c78ceb7c5c8d28356601a89cd42f702f73a5c36833fd1c13f7d7778d4f6ac9e64de0e74b76eb6a1e4d68f19c8539c38e644e4b89e01e8d453421

C:\Users\Admin\AppData\Local\Temp\7a5d2af0-8211-4e8d-90bf-c8bf40b0788b.vbs

MD5 41af0b6c1fa3dfd3826881402f4686b6
SHA1 7bb5d121beb65739a13c9767db17419847e4af1d
SHA256 486e46257c1c7bed64732bcac7cb89d6cb84bdc949332430572e5439fe25fa8c
SHA512 5254899babe3f9abcdedd6b23c4368cfb97d78054285295ba6abfa7bcf254a5a9cdf9aec6b0f1064aba7e722239dfccf48266736a93642f20c8aba1456f0ba9d

C:\Users\Admin\AppData\Local\Temp\87e2794b-aefb-47b4-9fc3-3c4adc76c8f8.vbs

MD5 3caff10e9641e5a97a7fe515326d0a06
SHA1 7eca5cc9a8a127f60fdd72a75d3da2444af339e6
SHA256 a35192e330b313a8fd0e564b9caa488749b334fe16071644523970b11ce83419
SHA512 78dfadd9d3739abbed04eb7b4e15e7cc8734784b75f682d860f2706862d97577f1175b63c989bf755d405c6ddf336864315250eeddf46a1764edd58004d11d36

C:\Users\Admin\AppData\Local\Temp\633a59a5-8277-42e2-9a2c-0801d19472e8.vbs

MD5 346b5510d107885087bed6616041f015
SHA1 44493aba332f77241f03e52e7dee5815eb699dc8
SHA256 af3b5f1b4404e6163efae44645c863498cd31b28047708c9e0b392e04648180d
SHA512 1c9c7b5468f7099cb583fca1b6b9bec8f00f46ab9df8d662bfbb0f98f764aec01606bc6679b66516cb3d510cd4a21144a3ae47c6a86a46e1ff5e174a2a3f7216

C:\Users\Admin\AppData\Local\Temp\6115834b-1760-4d3e-bcb4-d1c3d2a213ef.vbs

MD5 c3e39de617bd3c242a23f7ce8c38b4e9
SHA1 b7e5e0f9f89a7f7b550b33040f82809a39eff4cc
SHA256 3d0845723ce4b0f2f68efc3549209eaff85398c07c67fcb13338f23c18901658
SHA512 260f10910e5e77d463fde4d3fd2a6bcb9b74480729dffa351fa8886e897d8d673e4deb1fbdeb339739eb3dc20b9902790daa18621a0e454f5219e66fdafd92e9

C:\Users\Admin\AppData\Local\Temp\aa7bddee-3c78-4a61-8f55-81f010c028c5.vbs

MD5 025d35b02f307215dd2e80968824a0ad
SHA1 c1b42882672b561372c8af6a19631c03ec4c7f89
SHA256 e0f5e2d6f8c204d3c9f710e719a52891fd52b59c555e0a783cd70f271d8c2922
SHA512 cc35c3c2ad98a563f75f536c2f0128ee57d4eb90dd67c97df2b153d95d117035eb7e91851a4242f61052ea1e2f34461737d22a79879fbd9e4a3f7d82537ca73c

C:\Users\Admin\AppData\Local\Temp\d0bd3e5a-7c74-4fe2-9014-1170511a2778.vbs

MD5 25a58ad01d80b08822ef99c962897ca3
SHA1 6802baed3350c71c9867ccb85cb3be1e69caf182
SHA256 12e8fe1d4a57c5a718d349eb2af2cfcf5916285cf991934c7c047f491bd86514
SHA512 2e11d10ce17da78f4c34a5c37d54c96f9755a8a03020a32868d60c20f0d451621dd3a5a64184ce22100c548b9c30f00d58355a1ca23a9ddd2ccf8166df37816a

memory/1700-410-0x000000001B990000-0x000000001B9E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6af9a5f4-26ab-4380-80c4-1e19bfb923cd.vbs

MD5 46cdefd5836499227934e3041a33a16e
SHA1 a126e17f833888692f13454800673e7dabee4aa8
SHA256 5a356fd7a3f43df2621135bf8aa14f37c0d46311035b4f50fe23e042dd60c67f
SHA512 0a67ef48472f7b0ae788dc8a7d1e29fe79c5e4c64039568625d364563af31f1db723fc3ae71d66aa129bc0e8e90e10d3cec12209eaf4f6ab4d7f26ce0837a30c

C:\Users\Admin\AppData\Local\Temp\3151bcac-f861-4e5d-923a-3f0a07258169.vbs

MD5 311a7494b5041385b5352a4405792327
SHA1 689c42532258179a0a199bd0ca3804c4335e7ac3
SHA256 762faadea90d8159657276232d7d55c9b453c12a8e814c62f234119314060a80
SHA512 9e493bd8f8a52bc7578566bffc62aa6b07608a060cd049c759dbc9df8f73f46b6082af3d83629eae2851f5837e3972e5cff473a0ddfa86b18e905b280bb4d85b

C:\Users\Admin\AppData\Local\Temp\23309f03-b20b-44ef-b564-77bdaa6286fd.vbs

MD5 b6050d1c253115bd09f689db02cb3e9a
SHA1 6753fefd1f4d461c8965b0e729ba54f810c907c8
SHA256 0dba2333ba6a4218fd8cf1083e9ab155f82229d2cbaf9f50e909f5db0efefc30
SHA512 c152b8c67ef83f01fc7355137eeeb6ccda09f376e5a215135cb6567017f1674d495e4ec20a47a82d2ac48ad22ae0fd56de2b9ca498011cd1b7c38ca2bc3b17c0

C:\Users\Admin\AppData\Local\Temp\4915170ccee1a4e10bf6f9f05322c0d4553d6be0.exe

MD5 3c3ec29aa1f155bd89d18a47b4e71310
SHA1 c703547af7764177de6cd0cd7e20323bdc13eba5
SHA256 c750ebde3de5d003b728ad04c0d0c535935682f6b0e7fb900a9833bf4adbe3e9
SHA512 e6dc5308ee5e1709338b5eb7ae9afe02caa14eaa1552f1f92ecfbd9806bc6014d6a57a1659f4fa5a89e0bc9359ff422e57fefc59c069b50d0fee795da39b66a3

C:\Users\Admin\AppData\Local\Temp\d72b2557-c752-46af-9c39-c912e5a6f26e.vbs

MD5 c01ed1d5ce3eb1851f7c0255eda039ae
SHA1 8f3188d70be25ece55534c0821ece1233a5974d8
SHA256 5885e4bfc893d39bc7b6242aa1fcd457b83356ee1c7cc5ab7b03c03272edb780
SHA512 e81e22b8b6bd14b0674e3bdfdc90fe405f0ce7bfbd0e22fef7c56b6868ee4b396faeb89609b0529a2db31b0d1ba967c9cd22817c1ed518437c25e53741bd661a