Malware Analysis Report

2024-11-13 13:42

Sample ID 240516-ber7bsdd29
Target 9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64
SHA256 9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64
Tags
dcrat evasion execution infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64

Threat Level: Known bad

The file 9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64 was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan

Dcrat family

DCRat payload

DcRat

Process spawned unexpected child process

UAC bypass

DCRat payload

Detects executables packed with SmartAssembly

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

System policy modification

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 01:03

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 01:03

Reported

2024-05-16 01:06

Platform

win7-20240508-en

Max time kernel

148s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\taskhost.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files\Windows Media Player\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files\Windows Media Player\RCX3185.tmp C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files\Windows Media Player\taskhost.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Vss\Writers\Idle.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Windows\Vss\Writers\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Windows\Help\OEM\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Windows\Resources\RCX2AFD.tmp C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Windows\Resources\lsass.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Windows\Resources\lsass.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Windows\Resources\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Windows\Help\OEM\csrss.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Windows\Vss\Writers\RCX24F1.tmp C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Windows\Vss\Writers\Idle.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Windows\Help\OEM\RCX33F6.tmp C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Windows\Help\OEM\csrss.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\cmd.exe
PID 2248 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\cmd.exe
PID 2248 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\cmd.exe
PID 1508 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1508 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1508 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1508 wrote to memory of 2060 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
PID 1508 wrote to memory of 2060 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
PID 1508 wrote to memory of 2060 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
PID 2060 wrote to memory of 264 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe
PID 2060 wrote to memory of 264 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe
PID 2060 wrote to memory of 264 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe
PID 2060 wrote to memory of 1076 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe
PID 2060 wrote to memory of 1076 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe
PID 2060 wrote to memory of 1076 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe
PID 264 wrote to memory of 348 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
PID 264 wrote to memory of 348 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
PID 264 wrote to memory of 348 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
PID 348 wrote to memory of 620 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe
PID 348 wrote to memory of 620 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe
PID 348 wrote to memory of 620 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe
PID 348 wrote to memory of 2028 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe
PID 348 wrote to memory of 2028 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe
PID 348 wrote to memory of 2028 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe
PID 620 wrote to memory of 2636 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
PID 620 wrote to memory of 2636 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
PID 620 wrote to memory of 2636 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
PID 2636 wrote to memory of 2200 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe
PID 2636 wrote to memory of 2200 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe
PID 2636 wrote to memory of 2200 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe
PID 2636 wrote to memory of 2104 N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe

"C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Resources\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Downloads\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\OEM\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Help\OEM\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\OEM\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\OEM\csrss.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AFF5hliR7g.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b2823b-b194-456b-aeb7-173afa633f56.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68d747ab-e2cd-4bdf-a326-97595606517b.vbs"

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d11ba26b-4933-4562-bc04-d6c9ffd2b3ae.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3baaa3aa-cd49-46c6-932d-482720fd9811.vbs"

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f50e57a-a135-4259-94db-fcc8c5acb4bd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3398dd94-332a-475c-a320-2238214d2d1b.vbs"

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eba172d5-ae07-446c-a51c-d53a414f594d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\859be087-e026-4fc7-9207-74b3c9e232fc.vbs"

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e9df990-6ee5-49cf-bf9e-d2b64d4cef69.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62136ba5-ecf4-4b47-8dc0-76d2d620c30a.vbs"

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6f72e65-069d-4105-9a90-374c53e8ebb6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2abcb4af-ca17-4eb6-8adc-fb7f8646c7ab.vbs"

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\093cb249-9c92-4fc5-a44b-c938acd84eaf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fca86325-20c3-4908-9a62-271bcff903ef.vbs"

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\791c4edb-89e3-4e11-b368-7ad96592eab3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06a3b784-1082-4880-b71c-3c2f073005a7.vbs"

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fb2bb95-b6ee-486c-ba90-ce26d667aa8f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\768dc9d9-4a72-4807-9ad0-b27e7c5ed284.vbs"

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b5214a7-01a5-4ce9-b959-4ad57d3aa1c5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d65d151-3154-44b0-9b51-41d7b0d33e23.vbs"

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\613d7958-e214-4eda-b690-e3aad559e623.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2580e6f5-68c1-4a07-b5d6-03550be1fb06.vbs"

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c3c2a91-af01-44aa-8682-d25dbc135aee.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb4ac21c-91f7-4310-8f0d-bcc02bc748d0.vbs"

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fee3d53-b82b-40bc-9964-2e75eaa90ea4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78e5eca0-1d60-4b50-beed-3b6dd21cc389.vbs"

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1cc3ed6-25d9-4d7e-8b5f-99c6f562ef5b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05df3311-bb1c-43cc-93de-ebccb199cf64.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0951158.xsph.ru udp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp

Files

memory/2248-0-0x000007FEF6093000-0x000007FEF6094000-memory.dmp

memory/2248-1-0x0000000000100000-0x00000000002B0000-memory.dmp

memory/2248-2-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

memory/2248-3-0x0000000000370000-0x000000000038C000-memory.dmp

memory/2248-4-0x0000000000390000-0x0000000000398000-memory.dmp

memory/2248-5-0x00000000003B0000-0x00000000003C0000-memory.dmp

memory/2248-6-0x00000000003C0000-0x00000000003D6000-memory.dmp

memory/2248-7-0x00000000003E0000-0x00000000003EA000-memory.dmp

memory/2248-8-0x00000000005F0000-0x00000000005F8000-memory.dmp

memory/2248-9-0x00000000007A0000-0x00000000007B2000-memory.dmp

memory/2248-10-0x00000000007F0000-0x00000000007FC000-memory.dmp

memory/2248-11-0x0000000000800000-0x0000000000808000-memory.dmp

memory/2248-12-0x0000000000810000-0x000000000081A000-memory.dmp

memory/2248-13-0x0000000000820000-0x000000000082E000-memory.dmp

memory/2248-14-0x0000000002340000-0x000000000234C000-memory.dmp

memory/2248-15-0x0000000002350000-0x0000000002358000-memory.dmp

memory/2248-16-0x0000000002360000-0x000000000236A000-memory.dmp

memory/2248-17-0x0000000002370000-0x000000000237C000-memory.dmp

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

MD5 b244f673168b94dfbd0c4120790db0c1
SHA1 504ae2d279ef5640bd6a91729a856f6f62744756
SHA256 9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64
SHA512 37ac77251f3f776483e0cbfec920365e4916c2f8f9cd115e72c485cedd6975af5ee6eb8edad86837beceeebe633776ea1e8782b3e4209c78490ec2d221485a94

C:\Program Files\Windows Media Player\taskhost.exe

MD5 06f0070d3588cf6ed4bf34ba0d784ed1
SHA1 f3dc63b2212e62df1bab79170abb5695f65b4272
SHA256 ba4a91d7f8c835934fb5347e47b3c1d908db79857d94ae958fd828dbc5d82dca
SHA512 16c0186e092e4e863d26c8d47dc0e4cad27fa98d2eb21fca4dd36e25b366606ca50fb2c67034ac1c45833d756c8c2523fbafdd920e23316fa1dcd264de7492d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 6b4ea32dd4dddaa7cbf9bbad56c441a9
SHA1 97ba53f26f72502d781f04bf7947a61aad47810b
SHA256 38bd12b58c90a7b767b334453938e27f61ba56c197399c911d19ce1df0673648
SHA512 5e9694ad0b10610e8e7604160866b97e90c6dd232aca7932af852ec09ba24452f52b81645f58a26bd68961cd7661e82f21ba5d20599c7f473c66b47870e6b0db

memory/1476-143-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/1328-131-0x000000001B570000-0x000000001B852000-memory.dmp

memory/2248-163-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AFF5hliR7g.bat

MD5 11ba1a47d4815c1d6bbf547978b784ab
SHA1 92e5aeb56e63bb29dac5a99d906ec8d95af2d008
SHA256 be4ca71c65e8e0f6a09c6a5139910b5268a2341bfa500601150c5b81b8193ce8
SHA512 10c60d381dade067256c29235d4fc4efa5424c5def4193473f1dac206b72a3c5ab19b982ef667ffaea54407f624fa311f317f79dbc941bbe22119c94f1f8c1fc

memory/2060-172-0x00000000012E0000-0x0000000001490000-memory.dmp

memory/2060-173-0x0000000000460000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\04b2823b-b194-456b-aeb7-173afa633f56.vbs

MD5 5488a03aca6dbbe13af45b2b5878ed18
SHA1 34236511bf427504cbf2e04bda405fbcea1ef304
SHA256 b1c06033c644e9aa0e8034d98caa17305a4392a23cf29dcdc31bc72af110d68c
SHA512 b66c1124ea11f57e9b717102f012234872b518b401f30bde5a4eab1658050d029f22b78eac9415f2a2cad2d66f6d5877db7800051a72fe4518ee534905a2f429

C:\Users\Admin\AppData\Local\Temp\68d747ab-e2cd-4bdf-a326-97595606517b.vbs

MD5 54a468f69a794de52fac828c2553a6af
SHA1 31cb8e749ac8a312c7bac338b8af74bc5e9722f6
SHA256 6a1df4045ccd9e3fc06c7de44975f9a5be774948abefc7cf8fd0795af114dffe
SHA512 595581bbd159c821bec308da3ef7b27a79de50800af9e69e538e2c8df7d314013020691d892d1b1b5cf7c3e4077e22c1288d574bde26a987780633e79a0b01ee

C:\Users\Admin\AppData\Local\Temp\d11ba26b-4933-4562-bc04-d6c9ffd2b3ae.vbs

MD5 5e29724014efe866468cca394701934b
SHA1 256377fa6adf54769b26c90b9c1846f68780adf9
SHA256 9e2907c9199eb858e3d63c935d490a80b67fc2d5ab095a032e32b91748f2a7cc
SHA512 5200d798a84802c381ba671e437a3162a211048d46f37b945f0a3e41e2b577ada1ec5f47b9afa1fa97986554d3b38cef632af1744ded50f5a549fafe0b1c1617

memory/2636-195-0x00000000012F0000-0x00000000014A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4f50e57a-a135-4259-94db-fcc8c5acb4bd.vbs

MD5 23adbb3f878c32f48548b671cb52db78
SHA1 f04085af3f364a48acab26f84bfdb797f7a6d367
SHA256 1223bfd00a89bdeb65dee7ba2458c4bdde3420ec4023912d3250598c50e3901f
SHA512 b92405c436e55d910eac01264f9ca2fa05095b5349d61d94211a5658e828955dcca697d566b1638fe8c99a0b4bee69a48004f04434d412c366cb8336afbd83b5

C:\Users\Admin\AppData\Local\Temp\eba172d5-ae07-446c-a51c-d53a414f594d.vbs

MD5 1e43276f7afd5dc79829d61ac5c39748
SHA1 09f4c185f2d8f87a3975af6e4b3ba0670245db5b
SHA256 ed0c0d66fd73e7b6e6846efa112c074a5be663ae108d3b5cb68780238fafd2c8
SHA512 cf15b976810de7d3360bd3259308aaf014b3afaf6e390bb033029971398e7de9bba67b330fbd073be7c0eaf72c9d301310f4283b24ee9c715a1eaa71d3c515d9

C:\Users\Admin\AppData\Local\Temp\7e9df990-6ee5-49cf-bf9e-d2b64d4cef69.vbs

MD5 9a25b461806157695c919738a37c28d2
SHA1 ffa8e2e2301333e5650cb6b53aa066c6661d746f
SHA256 29b02e0fa77de1230b91aeab62732bf48360760e70ee2f72ac033e3f77b0629f
SHA512 90023aea0a946acabca55c70cd4e0902669c8e4da224f04610d73e38d7c132050d1000c370cb8bdd96aff3e2f86541898636eaf94f617d5f6884bc4f5baa4322

C:\Users\Admin\AppData\Local\Temp\e6f72e65-069d-4105-9a90-374c53e8ebb6.vbs

MD5 b888caf087ea2022d5e1a0f8844c7492
SHA1 5e9d230b32e13c2e86edd47aece11550d199f89d
SHA256 e94e0ef0f48bb08db94db3958d2ec8bcc7a2105a2e04c499b56d38039bc0d221
SHA512 4d05fb14012f12e3b4384c077a54133ecad4bc8dcd4e1a9d0a1448aebcd5e4b728aad17ab5618ad8e4bf2f0aef5c1a748cf82ab51e8844015963ac38107c35e6

C:\Users\Admin\AppData\Local\Temp\093cb249-9c92-4fc5-a44b-c938acd84eaf.vbs

MD5 6d17e4e9740f4d7854caa0890074da79
SHA1 3f3e2fb71ad5017b536239896aa62cf6620249bf
SHA256 275df000e1547e331d3741212d6fd9add0f9eefb2a5b9babe94cca436961aabe
SHA512 86786aa91e8f069788c9df9bf4c17e2b461ed8d631c3a25818348249bbc34fc9b9e888f22bfc4c0b9a8ecb500dba31b928fb91aee064d8d738e196ceaf5e1cee

memory/2884-251-0x0000000000C80000-0x0000000000C92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\791c4edb-89e3-4e11-b368-7ad96592eab3.vbs

MD5 b5230970b847213f64875f7fba0ed173
SHA1 1fac2ceb73dcab053fd9c6185cb07081ccee7f14
SHA256 2fdd66d498ba8a70b667b516ca98fb4a969cd6fb8e2de4f110b6f32fa06b1133
SHA512 9ef6fd716ea4d5ad00552c37588fcff050952de7026331249814a3782b6c710b6ad2916a57a45887debd59d26f8e9f6e9fc5025ebebb3e99556c5969f1c0e2d9

memory/2036-263-0x0000000001370000-0x0000000001520000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0fb2bb95-b6ee-486c-ba90-ce26d667aa8f.vbs

MD5 766595d8eab74f73c2a5d6f56ade410c
SHA1 9cb823b872a8cfb672383b514f20c6094493e32c
SHA256 ba95d23116f8e838f8d40946c4ba97b8ed8695161b96b6a8af9ddd76f8d3959a
SHA512 65e4f97d04eaa3652eb8541ca2bbcd14301fb14a963aa4f9a112c81e9059977d8ad4fc07721b5d465a111303d7156eadae2e8e589c15de4cd64278b453572f6c

C:\Users\Admin\AppData\Local\Temp\9b5214a7-01a5-4ce9-b959-4ad57d3aa1c5.vbs

MD5 c592bfd9f2ecb2b314bbfef91536da8b
SHA1 a8ba7a0cbec7f0ef28286e7fb5c4a5420290c0f4
SHA256 28b2ec2d884fdcefc0a18632e36c538f9f2c35bcf2e63099fe57b307a893609c
SHA512 876de67bffb47fddfc16260813c02a930bf3b5c008b4031b11985d39a23a9bac2db007ffd55cdfeeae2a327e90150fa44ee06a8263bf96b689668390c095899a

memory/2580-286-0x0000000000360000-0x0000000000372000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\613d7958-e214-4eda-b690-e3aad559e623.vbs

MD5 a0fab8242727c949fb568dfcf926dad6
SHA1 da1854eab87a3ca5ff0af0d3ba54340752c0055d
SHA256 7abee378484388f474007dd5c0ccde88d67ee645a2f0bdbcec0f26acb53f08e2
SHA512 ba2c56ab0057b51cfded28963c6dd8297cbbbf25304f7e0b2bc1383e88c092f602c71a24c0caaa784e3f82828ad09fb3beff77fbb1c527c52d063535418417d2

memory/1632-298-0x0000000001390000-0x0000000001540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2c3c2a91-af01-44aa-8682-d25dbc135aee.vbs

MD5 a3c5c7a5e7bef542830ce2ddfe25564f
SHA1 b59eaca474ed0938e45f1c3ff46858f0b23adb1f
SHA256 5d4304e06f0cd7388a598971a7e99c760b4b9223842aa1edd6edef59143c9109
SHA512 9b34cffb789eb5ff972841d48e680a58f06ff753b077da9a70e86b7fe62c5fbcead3a03bda849e22c95362131afcb9d1d317d4db0d2b86e1da2ad0d282f2f7c4

memory/2884-310-0x0000000000340000-0x00000000004F0000-memory.dmp

memory/1948-322-0x0000000000A20000-0x0000000000BD0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 01:03

Reported

2024-05-16 01:06

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Local Settings\SearchApp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft.NET\sysmon.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files\Internet Explorer\ja-JP\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\RCX6119.tmp C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\sysmon.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ja-JP\RCX6A25.tmp C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files (x86)\Adobe\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\9832c53a2e5202 C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\sihost.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\RCX526D.tmp C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX5E97.tmp C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ja-JP\sihost.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\smss.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RCX639A.tmp C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files (x86)\Adobe\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\smss.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\sihost.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files\Internet Explorer\ja-JP\sihost.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\RCX49DD.tmp C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX661C.tmp C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX5A01.tmp C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\LanguageOverlayCache\dllhost.exe C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\Local Settings\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\Local Settings\SearchApp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Local Settings\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Local Settings\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Local Settings\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Local Settings\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Local Settings\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Local Settings\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Local Settings\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Local Settings\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Local Settings\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Local Settings\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Local Settings\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Local Settings\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Local Settings\SearchApp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4872 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\cmd.exe
PID 4872 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe C:\Windows\System32\cmd.exe
PID 3220 wrote to memory of 5372 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3220 wrote to memory of 5372 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3220 wrote to memory of 5276 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Local Settings\SearchApp.exe
PID 3220 wrote to memory of 5276 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Local Settings\SearchApp.exe
PID 5276 wrote to memory of 5996 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5276 wrote to memory of 5996 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5276 wrote to memory of 392 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5276 wrote to memory of 392 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5996 wrote to memory of 3184 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Local Settings\SearchApp.exe
PID 5996 wrote to memory of 3184 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Local Settings\SearchApp.exe
PID 3184 wrote to memory of 5760 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe
PID 3184 wrote to memory of 5760 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe
PID 3184 wrote to memory of 5564 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe
PID 3184 wrote to memory of 5564 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5760 wrote to memory of 5176 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Local Settings\SearchApp.exe
PID 5760 wrote to memory of 5176 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Local Settings\SearchApp.exe
PID 5176 wrote to memory of 5328 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5176 wrote to memory of 5328 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5176 wrote to memory of 5352 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5176 wrote to memory of 5352 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5328 wrote to memory of 1020 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Local Settings\SearchApp.exe
PID 5328 wrote to memory of 1020 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Local Settings\SearchApp.exe
PID 1020 wrote to memory of 5492 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe
PID 1020 wrote to memory of 5492 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe
PID 1020 wrote to memory of 5640 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe
PID 1020 wrote to memory of 5640 N/A C:\Users\Admin\Local Settings\SearchApp.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Local Settings\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe

"C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Local Settings\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Local Settings\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-711569230-3659488422-571408806-1000\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-711569230-3659488422-571408806-1000\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-711569230-3659488422-571408806-1000\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\USOShared\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d649" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d649" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\ja-JP\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\ja-JP\sihost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\SearchApp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-711569230-3659488422-571408806-1000\backgroundTaskHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\USOShared\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\ja-JP\sihost.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BQsEHdtw3J.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\Local Settings\SearchApp.exe

"C:\Users\Admin\Local Settings\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1985019-cb7a-4a95-bee4-f995d0fd9f2d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28b05864-1138-4523-b551-d792fe443cd6.vbs"

C:\Users\Admin\Local Settings\SearchApp.exe

"C:\Users\Admin\Local Settings\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bf1bcc6-64d0-4ce7-99db-622b1f227bcc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fd456f3-5044-445b-b03e-3ebffdd55049.vbs"

C:\Users\Admin\Local Settings\SearchApp.exe

"C:\Users\Admin\Local Settings\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45b963ad-ccf6-4117-a862-be64a21476be.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a750050-8e25-4e11-b6ce-39788f7d33de.vbs"

C:\Users\Admin\Local Settings\SearchApp.exe

"C:\Users\Admin\Local Settings\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f9c7270-d93b-430e-9e70-c992a804902a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd0b1ace-5b35-4dc4-a777-8c37dfc296bd.vbs"

C:\Users\Admin\Local Settings\SearchApp.exe

"C:\Users\Admin\Local Settings\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da0a2037-5890-445c-9d55-d553c0c10965.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ec261a4-fa7d-44ac-8473-8e3862cc15fc.vbs"

C:\Users\Admin\Local Settings\SearchApp.exe

"C:\Users\Admin\Local Settings\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1e9a754-f55e-4893-9864-ea030b86080f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0fe7dcf-bd0b-42f9-9351-9ea57f7adf26.vbs"

C:\Users\Admin\Local Settings\SearchApp.exe

"C:\Users\Admin\Local Settings\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a235506-6a90-4739-a15b-71f4250590ec.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe8a3a81-a771-4f00-a48b-5790f0a625c0.vbs"

C:\Users\Admin\Local Settings\SearchApp.exe

"C:\Users\Admin\Local Settings\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd3037f4-2d3e-4777-8c89-4eac1063d108.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c6d1b19-f4cd-40f1-b287-0bafa11bdd2f.vbs"

C:\Users\Admin\Local Settings\SearchApp.exe

"C:\Users\Admin\Local Settings\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\197161ff-db6d-4a9a-a166-e853417e0293.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bde51cb-303c-4a5f-aa5f-05c975a16795.vbs"

C:\Users\Admin\Local Settings\SearchApp.exe

"C:\Users\Admin\Local Settings\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c8b0107-012e-4c25-9249-7ebd62402bea.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d2f445c-d9e5-46fa-8345-a746f37af939.vbs"

C:\Users\Admin\Local Settings\SearchApp.exe

"C:\Users\Admin\Local Settings\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20ff2c10-c44d-40c1-941c-240e2e372c96.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\835eb25c-4a14-420d-9401-36a1e45581cc.vbs"

C:\Users\Admin\Local Settings\SearchApp.exe

"C:\Users\Admin\Local Settings\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12417d69-3dad-417c-9d43-7c51c06920d0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8667eb2-9b46-4209-bf83-03661baae822.vbs"

C:\Users\Admin\Local Settings\SearchApp.exe

"C:\Users\Admin\Local Settings\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92e630e3-36e0-47fe-88d7-2fc50a570f88.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cbc0307-6cbe-4d87-a69d-4e689f1dc667.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 177.196.17.2.in-addr.arpa udp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 a0951158.xsph.ru udp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
US 8.8.8.8:53 82.192.8.141.in-addr.arpa udp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp
RU 141.8.192.82:80 a0951158.xsph.ru tcp

Files

memory/4872-0-0x00007FF98D983000-0x00007FF98D985000-memory.dmp

memory/4872-1-0x00000000009E0000-0x0000000000B90000-memory.dmp

memory/4872-2-0x00007FF98D980000-0x00007FF98E441000-memory.dmp

memory/4872-3-0x0000000002CB0000-0x0000000002CCC000-memory.dmp

memory/4872-4-0x000000001BE80000-0x000000001BED0000-memory.dmp

memory/4872-5-0x0000000001450000-0x0000000001458000-memory.dmp

memory/4872-6-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

memory/4872-7-0x000000001B7E0000-0x000000001B7F6000-memory.dmp

memory/4872-8-0x0000000002CF0000-0x0000000002CFA000-memory.dmp

memory/4872-9-0x000000001B800000-0x000000001B808000-memory.dmp

memory/4872-10-0x000000001B810000-0x000000001B822000-memory.dmp

memory/4872-11-0x000000001C400000-0x000000001C928000-memory.dmp

memory/4872-12-0x000000001B840000-0x000000001B84C000-memory.dmp

memory/4872-15-0x000000001BED0000-0x000000001BEDE000-memory.dmp

memory/4872-14-0x000000001B860000-0x000000001B86A000-memory.dmp

memory/4872-13-0x000000001B850000-0x000000001B858000-memory.dmp

memory/4872-16-0x000000001BEE0000-0x000000001BEEC000-memory.dmp

memory/4872-18-0x000000001BF00000-0x000000001BF0A000-memory.dmp

memory/4872-17-0x000000001BEF0000-0x000000001BEF8000-memory.dmp

memory/4872-19-0x000000001BF10000-0x000000001BF1C000-memory.dmp

C:\Users\Admin\AppData\Local\SearchApp.exe

MD5 b244f673168b94dfbd0c4120790db0c1
SHA1 504ae2d279ef5640bd6a91729a856f6f62744756
SHA256 9697dd9c108c9d9bd2a67091f18650bb790d7ecce4f51c6f83aa5e4365b45d64
SHA512 37ac77251f3f776483e0cbfec920365e4916c2f8f9cd115e72c485cedd6975af5ee6eb8edad86837beceeebe633776ea1e8782b3e4209c78490ec2d221485a94

C:\Recovery\WindowsRE\System.exe

MD5 15ae1f9083110b28848db815cf8d732d
SHA1 87adee6539e4f65d724c372158699ddfe510a7a1
SHA256 674b375cb59c57ce20bf9052789ee41103e06d7d2cf492d8fdc4ee1ca5e17a7c
SHA512 a2c58e829af0bd9820bf7581e5a979baf49a0156bbc344229f9a2f797cca3c31edf369d78a7de578915b34ed3791d2c370a3c2ca79c75b038f32a1ccbeb54823

C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-711569230-3659488422-571408806-1000\backgroundTaskHost.exe

MD5 b630eaa859d54ad773ee91d66462884c
SHA1 2bc752180fc87e12342f7f893b172173adb7fc23
SHA256 b59e1688c1ca6a51a9505a8ccc84e062f46f105c2c06969c58b3b56ac556e666
SHA512 81fa729097c5fbabbc4692f7318673383a91d7248c63cf5799f0c4fa710c9fdfe9898aeb47211f1cd422a6e7834d7ce3bf8d0fb091a14a77a91d04c3d79e194f

C:\Program Files (x86)\Microsoft.NET\sysmon.exe

MD5 ff8dac6825c4efa50363d3d33bbe8b76
SHA1 aaed7775e2c60e00cb9812e590971c7205e83fc3
SHA256 aaf59a8c652c0405960198fd01f2788ffec75470214bf0adc69c6413dea48d48
SHA512 ca3aa8732f09a5e64d176c6994e8002cfe5deaea6344bfdd5205c1e117ba4a1aa4c6047503a552199cd237e82e186430a1bc49a2b17a3303fea634c88dae7f62

memory/4872-173-0x00007FF98D980000-0x00007FF98E441000-memory.dmp

memory/4796-179-0x0000011E43460000-0x0000011E43482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ha5x4v5.s4v.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\BQsEHdtw3J.bat

MD5 8da33daa948bdd96c322f25581f03fb1
SHA1 6f850ad445a57dc0dcb83fb39b489b84ca1f5377
SHA256 f182efca6aaedded684bd57b3f97dd1306e1272d0283ded4dbeb546e9bc7325b
SHA512 781e6583b329776035f2a440e0b2a97f741d1338efc7b36e8edaf7d52b60d1b15555648cca3f437556c3c7af590919b87680a5df07717ab8aa5fd7cae779a662

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28d4235aa2e6d782751f980ceb6e5021
SHA1 f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA256 8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512 dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ecceac16628651c18879d836acfcb062
SHA1 420502b3e5220a01586c59504e94aa1ee11982c9
SHA256 58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512 be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

C:\Users\Admin\AppData\Local\Temp\c1985019-cb7a-4a95-bee4-f995d0fd9f2d.vbs

MD5 d219657d89f093d6fb4ab044e5cd17c7
SHA1 9da507eac4ee5eeeb398d3e95ddd072bde8263f5
SHA256 ba3b91bc727718f51a7e7b7c164c57dbcae3f90e01e903f2f13450f44e2bc878
SHA512 d66a995b0834502fbff7c2648b8a4e57cfcfaac1faa294452dc43bef0a9714f0efe41478be5a92d62e042850a31a22b00092863e811ebf9929790093b209d5fc

C:\Users\Admin\AppData\Local\Temp\28b05864-1138-4523-b551-d792fe443cd6.vbs

MD5 ba79082f066e1037989416fcb252ac1b
SHA1 776f5be932ff97ab72bb88e33793b5ecd7d19607
SHA256 e2ccc726e3928d0ace39459a752c2a24424311c33253aba82f2a8cbc44e61358
SHA512 abf8342e0008bcf1d78a98575f0de81159b3afcde5677a7c64d6a692e2f553489e4c1a15de1e21c525063ed692bcad5ba1b3b449322899df35341f0c18749a68

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\8bf1bcc6-64d0-4ce7-99db-622b1f227bcc.vbs

MD5 1365ad54374fb32b115eb690a245e6f0
SHA1 eed67b8c4b02da36f9baa53a54bad2094ecee75e
SHA256 1ad35654c101b15102ae07183a7404c4aa9e7360098f19c0d7990c915f973391
SHA512 9e02ee310ba4de3d5c5d76e51b300f79bf161ac2debb4e9b2b3760b704522251c6f07150459ff1820cdadd00e4a3c12f262003d70609dade25f3dbea5162468d

C:\Users\Admin\AppData\Local\Temp\45b963ad-ccf6-4117-a862-be64a21476be.vbs

MD5 d0bc6181cb815b2d34a37dab9200b05f
SHA1 beeea1d122515b5112bca79f449083fb204123f7
SHA256 fbd5b6e878532217fa51c8c84cf14296135dca106f58b3b4c68daa732e6b244a
SHA512 321f83b6c0d0445c8c469b1ffeed9ec21eba9b2cb510c4be8bd2e4cbab96c06ff5e176cacedb9d5fbcef11a0e07b50558277ce48feb650a67dd55fce0fde0b83

C:\Users\Admin\AppData\Local\Temp\4f9c7270-d93b-430e-9e70-c992a804902a.vbs

MD5 222c04d7b9289d370d626cdb4837f3cb
SHA1 5a5151697e03c6a358acdfad8b058ecb2fc83023
SHA256 d84875b21e8f0746d632abab5b602bed10c91215d78343be848f9663c00e27a9
SHA512 06df4691cc2549931a5b2ef3b73daf54c4b6ae6b62bd96c48bba2dbf0329354574c95656f916f33662a81d18b2919e1e804452234555d850046127b9c058c46c

C:\Users\Admin\AppData\Local\Temp\da0a2037-5890-445c-9d55-d553c0c10965.vbs

MD5 09aca43bed9cde7676eaf379af04bf53
SHA1 e3a013f9225d0acce0fd10f661ec927cbd991521
SHA256 c9049c00bcfbeb86e57b7a0141c57d59f64a129b1570de131f50fd2d74559484
SHA512 c092398b80ac5e649f2368270317ca9a84868e46b20d50d2bf3d2ec18a42936a0ad5ef95488bbbaa4db724a014dd671b7799d04efaeafa368977cac600406dc0

memory/4052-434-0x000000001B170000-0x000000001B182000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a1e9a754-f55e-4893-9864-ea030b86080f.vbs

MD5 e35b3e86f0ebc4883b3af081bf2189f1
SHA1 81f57699e8450754c4cb40027277e479fc3c6fab
SHA256 b0e7dceff64a48e6881d0f1ca6fa706de3290b72ab763a8b5b07d401785ad23a
SHA512 fe0fe39fc626d06a05189f44b5fd7248ce5490ed91bcc30fc39bce69228aebb7a227b9c18c6c7b44cbe280c9a013e4b7a293a09ee8605207f102b253239ce68a

C:\Users\Admin\AppData\Local\Temp\6a235506-6a90-4739-a15b-71f4250590ec.vbs

MD5 382ecb101b3c31d5192b89ff51b1fca0
SHA1 a2ad1bf8dffa3054e09a96bdbee13746ba4a0ed1
SHA256 d868c0a5ee940f57f4bfb72d4d1f741613c79574b9cf398423def80604f6262b
SHA512 4cac3c9a438004a9114e5125deb1087c02ffd77195b5f77901ca8a7fdb00bc789bd688e6a9ffd35353d3a66a6b729c537e742c1451448203c7e8f3c3cbf478e1

C:\Users\Admin\AppData\Local\Temp\fd3037f4-2d3e-4777-8c89-4eac1063d108.vbs

MD5 79672bfa02abd40b08d2d0a6d3c82d56
SHA1 9cd6c21459202130ad4dc7535c2527043a061408
SHA256 73c231a2f2a07b63f6d4f10dd2a52f6b7f838094f7af23eba83bc5c040efaeb9
SHA512 87982a8e53f1fff3d221604cb989b21f6786195489cdd556d2ea0d2036c99f270d65092927ca125462735b9a2bded72a0e39e2407cbd3feb191fe37c1a70866f

C:\Users\Admin\AppData\Local\Temp\197161ff-db6d-4a9a-a166-e853417e0293.vbs

MD5 faf2e0a29960a3de6d8788ebbd2a4469
SHA1 a6afae446d88b3f5dd26121cd58e29657ec87227
SHA256 b381c359f4610e34cc73b5ba82aca8e17b3e98116e579a46146e99a40e65c879
SHA512 3588959e0ea699a114044c7985b0cefe97b8226c4bcdcc2832a0c9728c636710d2a14e5f686499c0c41745ed568f4e72d627988551116963911871eff7e8106a

C:\Users\Admin\AppData\Local\Temp\5c8b0107-012e-4c25-9249-7ebd62402bea.vbs

MD5 a8ce95b60d00588250173e2c1fab9ba3
SHA1 7d84022bdef50e001651efef7dc2ec1d1b6f64e3
SHA256 c72d7b74bf7e5a20bfaa38e8c842fc03e43480e1af4308927355f50ae64d1b9c
SHA512 b31e6a1c5be99a592651f49dc7cfdcec1f16507b98260a0be0de62f29afb9c8833213e006df49f9ab0634ca8715c0692861ad12af009b71234e0398c010816dc

C:\Users\Admin\AppData\Local\Temp\20ff2c10-c44d-40c1-941c-240e2e372c96.vbs

MD5 5ebe42da3c9f3fd4a72b25a71fa5c123
SHA1 d75d912e6ee00f79b4da60bd62f05520b432b267
SHA256 452bd559beb60f52243a86a89e5b2e1e2b0670915779dbd05bfcd7dd4a8409a5
SHA512 c7167aca0e5ee8e8a4fc681b4da231cfdd62436715cd06e95b399fbe661d651960ab60a9c19400a9ca29d8385193770b4c89f53ea327b097e568d0ee26d059c0