Malware Analysis Report

2024-10-10 12:54

Sample ID 240531-kb9rmsdb38
Target 19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe
SHA256 19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963
Tags
rat dcrat execution infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963

Threat Level: Known bad

The file 19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat execution infostealer persistence

Process spawned unexpected child process

DcRat

Modifies WinLogon for persistence

Dcrat family

DCRat payload

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 08:26

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 08:26

Reported

2024-05-31 08:29

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..tcmdtools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_67f57cb09651767a\services.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\sppsvc.exe\", \"C:\\Windows\\DigitalLocker\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Common Files\\conhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\sppsvc.exe\", \"C:\\Windows\\DigitalLocker\\it-IT\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\sppsvc.exe\", \"C:\\Windows\\DigitalLocker\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\sppsvc.exe\", \"C:\\Windows\\DigitalLocker\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Common Files\\conhost.exe\", \"C:\\Windows\\IME\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\powershell.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\sppsvc.exe\", \"C:\\Windows\\DigitalLocker\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\sppsvc.exe\", \"C:\\Windows\\DigitalLocker\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Common Files\\conhost.exe\", \"C:\\Windows\\IME\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\powershell.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\sppsvc.exe\", \"C:\\Windows\\DigitalLocker\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Common Files\\conhost.exe\", \"C:\\Windows\\IME\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\powershell.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\System.exe\", \"C:\\Users\\Public\\Desktop\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\sppsvc.exe\", \"C:\\Windows\\DigitalLocker\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Common Files\\conhost.exe\", \"C:\\Windows\\IME\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\powershell.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\System.exe\", \"C:\\Users\\Public\\Desktop\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\powershell.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\sppsvc.exe\", \"C:\\Windows\\DigitalLocker\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Common Files\\conhost.exe\", \"C:\\Windows\\IME\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\powershell.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\System.exe\", \"C:\\Users\\Public\\Desktop\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\powershell.exe\", \"C:\\Program Files\\Uninstall Information\\conhost.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\sppsvc.exe\", \"C:\\Windows\\DigitalLocker\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Common Files\\conhost.exe\", \"C:\\Windows\\IME\\en-US\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\sppsvc.exe\", \"C:\\Windows\\DigitalLocker\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Common Files\\conhost.exe\", \"C:\\Windows\\IME\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\powershell.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\System.exe\", \"C:\\Users\\Public\\Desktop\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\powershell.exe\", \"C:\\Program Files\\Uninstall Information\\conhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\sppsvc.exe\", \"C:\\Windows\\DigitalLocker\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Common Files\\conhost.exe\", \"C:\\Windows\\IME\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\powershell.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\conhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\", \"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\", \"C:\\Users\\Default\\Pictures\\winlogon.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Users\\Admin\\Templates\\audiodg.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\sppsvc.exe\", \"C:\\Windows\\DigitalLocker\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files (x86)\\Common Files\\conhost.exe\", \"C:\\Windows\\IME\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\powershell.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\System.exe\", \"C:\\Users\\Public\\Desktop\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\powershell.exe\", \"C:\\Program Files\\Uninstall Information\\conhost.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Users\\Default\\Links\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Admin\\Templates\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\IME\\en-US\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\powershell.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Users\\Admin\\Cookies\\powershell.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963 = "\"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Common Files\\conhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default\\Links\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Uninstall Information\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Uninstall Information\\conhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963 = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963 = "\"C:\\Users\\Public\\Desktop\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Admin\\Documents\\My Pictures\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\DigitalLocker\\it-IT\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963 = "\"C:\\Program Files (x86)\\Windows Portable Devices\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\lib\\missioncontrol\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Internet Explorer\\SIGNUP\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Common Files\\conhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Users\\Admin\\Cookies\\powershell.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963 = "\"C:\\Users\\Public\\Desktop\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\powershell.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Resources\\Ease of Access Themes\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\IME\\en-US\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\powershell.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Internet Explorer\\it-IT\\conhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Uninstall Information\\conhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default\\Pictures\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963 = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Internet Explorer\\it-IT\\conhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default\\Pictures\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Admin\\Templates\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\powershell.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Uninstall Information\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default\\Links\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Sync Framework\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Uninstall Information\winlogon.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\powershell.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Internet Explorer\it-IT\088424020bedd6 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\conhost.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Common Files\conhost.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Common Files\088424020bedd6 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\explorer.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\powershell.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\e978f868350d50 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Windows Mail\fr-FR\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\Internet Explorer\SIGNUP\Idle.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\winlogon.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\RCXD3C8.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\a0fa4f1f523815 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\Idle.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\Internet Explorer\it-IT\conhost.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\Uninstall Information\conhost.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Internet Explorer\it-IT\conhost.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Uninstall Information\conhost.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Uninstall Information\088424020bedd6 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\explorer.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\explorer.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Uninstall Information\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\explorer.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\IME\en-US\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..tcmdtools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_67f57cb09651767a\services.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\Resources\Ease of Access Themes\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\DigitalLocker\it-IT\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Windows\Resources\Ease of Access Themes\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Windows\DigitalLocker\it-IT\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\IME\en-US\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\IME\en-US\24dbde2999530e C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\Resources\Ease of Access Themes\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\DigitalLocker\it-IT\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\cmd.exe
PID 1708 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\cmd.exe
PID 1708 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\cmd.exe
PID 1792 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1792 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1792 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1792 wrote to memory of 1816 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe
PID 1792 wrote to memory of 1816 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe
PID 1792 wrote to memory of 1816 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe
PID 1816 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe

"C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\br1tpLa245.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe

"C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Documents\My Pictures\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Documents\My Pictures\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c9631" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c9631" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Pictures\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Templates\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Templates\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c9631" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c9631" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Ease of Access Themes\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Ease of Access Themes\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\it-IT\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\it-IT\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\it-IT\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Pictures\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\it-IT\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\winlogon.exe'

C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe

"C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\en-US\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\IME\en-US\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\en-US\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\powershell.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\it-IT\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\it-IT\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c9631" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963" /sc ONLOGON /tr "'C:\Users\Public\Desktop\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c9631" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\powershell.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Cookies\powershell.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Links\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\taskhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\en-US\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\it-IT\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\taskhost.exe'

C:\Program Files (x86)\Common Files\conhost.exe

"C:\Program Files (x86)\Common Files\conhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0913612.xsph.ru udp
RU 141.8.197.42:80 a0913612.xsph.ru tcp
RU 141.8.197.42:80 a0913612.xsph.ru tcp

Files

memory/1708-0-0x000007FEF4E43000-0x000007FEF4E44000-memory.dmp

memory/1708-1-0x0000000000130000-0x000000000032A000-memory.dmp

memory/1708-2-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/1708-3-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/1708-4-0x00000000004E0000-0x00000000004E8000-memory.dmp

memory/1708-5-0x00000000004F0000-0x000000000050C000-memory.dmp

memory/1708-6-0x0000000000510000-0x0000000000520000-memory.dmp

memory/1708-7-0x0000000002060000-0x0000000002076000-memory.dmp

memory/1708-8-0x0000000000520000-0x0000000000530000-memory.dmp

memory/1708-9-0x0000000002080000-0x000000000208C000-memory.dmp

memory/1708-10-0x0000000002090000-0x00000000020A2000-memory.dmp

memory/1708-11-0x00000000020A0000-0x00000000020AC000-memory.dmp

memory/1708-12-0x000000001A850000-0x000000001A85C000-memory.dmp

memory/1708-13-0x000000001A910000-0x000000001A918000-memory.dmp

memory/1708-14-0x000000001A860000-0x000000001A86C000-memory.dmp

memory/1708-15-0x000000001A870000-0x000000001A87E000-memory.dmp

memory/1708-16-0x000000001A900000-0x000000001A908000-memory.dmp

memory/1708-17-0x000000001A920000-0x000000001A92E000-memory.dmp

memory/1708-18-0x000000001ADE0000-0x000000001ADEC000-memory.dmp

memory/1708-19-0x000000001ADF0000-0x000000001ADFA000-memory.dmp

memory/1708-20-0x000000001AE00000-0x000000001AE0C000-memory.dmp

memory/1708-21-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/1708-22-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/1708-23-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/1708-24-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe

MD5 29d80d247dfb4bd92b1bcfd7a7695d36
SHA1 0284cb27c754537c0440d9341a6fd07b0be1fa42
SHA256 19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963
SHA512 5b25f67c590204cb293e46e0eb10f47e0b02a3c3db1e6537c8a6414b598d4811c68c96a39b18391f750cf72fab4621eaec51fe4e4cc6b11c220823717e37c1e0

memory/1708-72-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0c99352d04f580a35a54dfdbbc5e740b
SHA1 824f65f53bfe43cafa1894825d8ff407826f10cb
SHA256 23c3af8a4c32d6d645b6b996ea40c806ed57aa35a34046ebd1fb4d886ddd3e8e
SHA512 a8acc38d8a01f5ff9f37710c20577b55682581e44e9552ce5c89053c3c6b42e4e19d75b1190943427d07b991c5be688c9e81793d505b6ba4b521d90387bcfe27

memory/1680-95-0x0000000002560000-0x0000000002568000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\br1tpLa245.bat

MD5 7d130cc59da2af39feb9a5168a77d3b4
SHA1 6b1323ec2c977f5877a9561a89731c611e0e79c2
SHA256 25f7998e71ba565a5ee5ab0da5d3e1cfe8d9c679c5b6b8e0b98f428ae616c460
SHA512 a13269327b35d02cf488cc2e650fa59e6d29860552645551b0dddbd18402479c4284fcde849fb3e1238cbe82db04fc177169d77907b53b39cbc82b8d8342db44

memory/2896-87-0x000000001B1B0000-0x000000001B492000-memory.dmp

memory/1816-106-0x0000000000AD0000-0x0000000000CCA000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1756-186-0x000000001B340000-0x000000001B622000-memory.dmp

memory/2528-208-0x0000000002210000-0x0000000002218000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 fdf79caf1782029ddcda7958de1ea0ef
SHA1 7177c3f84690d070e5e979db105f1a8e2e42b062
SHA256 9785ecec2b6aaf312cc600e037ee25e568073654b40e8bda5db5df21f19d893d
SHA512 409602a51ebb012a31ea415a96e6a000b62562ba191fd4cd2871baab3d77a523dc7998172855183720700481fdb4fe2167564ddac5989e166716d56dd2aa32ec

memory/920-336-0x0000000000360000-0x000000000055A000-memory.dmp

memory/920-376-0x0000000000350000-0x0000000000362000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 08:26

Reported

2024-05-31 08:29

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\3D Objects\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Windows\\Microsoft.NET\\Framework64\\1031\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\3D Objects\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Windows\\Microsoft.NET\\Framework64\\1031\\System.exe\", \"C:\\Windows\\twain_32\\Idle.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sihost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\Public\\Videos\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\3D Objects\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Windows\\Microsoft.NET\\Framework64\\1031\\System.exe\", \"C:\\Windows\\twain_32\\Idle.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sihost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\Public\\Videos\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Default User\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\3D Objects\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Windows\\Microsoft.NET\\Framework64\\1031\\System.exe\", \"C:\\Windows\\twain_32\\Idle.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sihost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\Public\\Videos\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Default User\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\3D Objects\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Windows\\Microsoft.NET\\Framework64\\1031\\System.exe\", \"C:\\Windows\\twain_32\\Idle.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sihost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\Public\\Videos\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Default User\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\3D Objects\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\3D Objects\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Windows\\Microsoft.NET\\Framework64\\1031\\System.exe\", \"C:\\Windows\\twain_32\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\3D Objects\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Windows\\Microsoft.NET\\Framework64\\1031\\System.exe\", \"C:\\Windows\\twain_32\\Idle.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sihost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\Public\\Videos\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Default User\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\explorer.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\ja-JP\\wininit.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\IDTemplates\\ENU\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\3D Objects\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\3D Objects\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Windows\\Microsoft.NET\\Framework64\\1031\\System.exe\", \"C:\\Windows\\twain_32\\Idle.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\3D Objects\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Windows\\Microsoft.NET\\Framework64\\1031\\System.exe\", \"C:\\Windows\\twain_32\\Idle.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sihost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\Public\\Videos\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\3D Objects\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Windows\\Microsoft.NET\\Framework64\\1031\\System.exe\", \"C:\\Windows\\twain_32\\Idle.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sihost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\", \"C:\\Users\\Public\\Videos\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Default User\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\explorer.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\ja-JP\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\3D Objects\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Windows\\Microsoft.NET\\Framework64\\1031\\System.exe\", \"C:\\Windows\\twain_32\\Idle.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sihost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\odt\csrss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\odt\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\3D Objects\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\IDTemplates\\ENU\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\odt\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\Videos\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\Videos\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\3D Objects\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Microsoft.NET\\Framework64\\1031\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\twain_32\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Common Files\\System\\Ole DB\\ja-JP\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\twain_32\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default User\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default User\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\IDTemplates\\ENU\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Microsoft.NET\\Framework64\\1031\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Common Files\\System\\Ole DB\\ja-JP\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\VideoLAN\\VLC\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\ja-JP\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\wininit.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX3358.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\winlogon.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\VideoLAN\VLC\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX4118.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\wininit.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX2962.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX3AEC.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\VideoLAN\VLC\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\56085415360792 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\winlogon.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX221B.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\explorer.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\RCX35E9.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\RCX434C.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\explorer.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\RCX4560.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework64\1031\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\twain_32\Idle.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\1031\RCX2EE1.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Windows\twain_32\Idle.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\1031\System.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\twain_32\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File created C:\Windows\diagnostics\scheduled\Maintenance\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\1031\System.exe C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
File opened for modification C:\Windows\twain_32\RCX3124.tmp C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\odt\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\odt\csrss.exe
PID 2132 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe C:\odt\csrss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe

"C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\odt\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\3D Objects\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\3D Objects\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\Framework64\1031\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\1031\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\Framework64\1031\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\twain_32\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Videos\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\System\Ole DB\ja-JP\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\Ole DB\ja-JP\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\System\Ole DB\ja-JP\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\msedge.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\3D Objects\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\1031\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\msedge.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\Ole DB\ja-JP\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\winlogon.exe'

C:\odt\csrss.exe

"C:\odt\csrss.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3288 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 a0913612.xsph.ru udp
RU 141.8.197.42:80 a0913612.xsph.ru tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
RU 141.8.197.42:80 a0913612.xsph.ru tcp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/2132-0-0x00007FFC8CBB3000-0x00007FFC8CBB5000-memory.dmp

memory/2132-1-0x00000000006A0000-0x000000000089A000-memory.dmp

memory/2132-2-0x00007FFC8CBB0000-0x00007FFC8D671000-memory.dmp

memory/2132-3-0x00000000011C0000-0x00000000011CE000-memory.dmp

memory/2132-4-0x00000000011D0000-0x00000000011D8000-memory.dmp

memory/2132-5-0x0000000002B00000-0x0000000002B1C000-memory.dmp

memory/2132-6-0x000000001BB60000-0x000000001BBB0000-memory.dmp

memory/2132-7-0x00000000011E0000-0x00000000011F0000-memory.dmp

memory/2132-8-0x000000001BB10000-0x000000001BB26000-memory.dmp

memory/2132-9-0x0000000001200000-0x0000000001210000-memory.dmp

memory/2132-10-0x000000001BB30000-0x000000001BB3C000-memory.dmp

memory/2132-11-0x000000001BB40000-0x000000001BB52000-memory.dmp

memory/2132-12-0x000000001C0E0000-0x000000001C608000-memory.dmp

memory/2132-13-0x0000000002AE0000-0x0000000002AEC000-memory.dmp

memory/2132-14-0x0000000002AF0000-0x0000000002AFC000-memory.dmp

memory/2132-17-0x000000001BE00000-0x000000001BE0E000-memory.dmp

memory/2132-18-0x000000001BE10000-0x000000001BE18000-memory.dmp

memory/2132-16-0x000000001BDB0000-0x000000001BDBC000-memory.dmp

memory/2132-15-0x000000001BB50000-0x000000001BB58000-memory.dmp

memory/2132-19-0x000000001BE20000-0x000000001BE2E000-memory.dmp

memory/2132-20-0x00007FFC8CBB0000-0x00007FFC8D671000-memory.dmp

memory/2132-21-0x000000001BE30000-0x000000001BE3C000-memory.dmp

memory/2132-22-0x00007FFC8CBB0000-0x00007FFC8D671000-memory.dmp

memory/2132-23-0x000000001BE40000-0x000000001BE4A000-memory.dmp

memory/2132-24-0x000000001BE50000-0x000000001BE5C000-memory.dmp

memory/2132-25-0x00007FFC8CBB0000-0x00007FFC8D671000-memory.dmp

memory/2132-28-0x00007FFC8CBB0000-0x00007FFC8D671000-memory.dmp

C:\Program Files (x86)\Windows Portable Devices\explorer.exe

MD5 29d80d247dfb4bd92b1bcfd7a7695d36
SHA1 0284cb27c754537c0440d9341a6fd07b0be1fa42
SHA256 19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963
SHA512 5b25f67c590204cb293e46e0eb10f47e0b02a3c3db1e6537c8a6414b598d4811c68c96a39b18391f750cf72fab4621eaec51fe4e4cc6b11c220823717e37c1e0

C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX3358.tmp

MD5 f36750e9bf3bc6a8ca18132b7dcb6676
SHA1 ed17f637232b38346d21afdbe96954a238796b4f
SHA256 162d25dcad54748f60df7b062bb2eb91834666311a75d655dcd9507806eb76ba
SHA512 a882b9f7e4508f08279c0df6b68e4914577075e6953434b0b7ea16d8e833ef2c7e7f9a7f932b45cefcd1ef1acd87115a1c9966fd0e24d80e3c6b95be65c0aeea

memory/2132-152-0x00007FFC8CBB3000-0x00007FFC8CBB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b353gcfj.hnv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2828-224-0x000001357A340000-0x000001357A362000-memory.dmp

memory/2132-369-0x00007FFC8CBB0000-0x00007FFC8D671000-memory.dmp

memory/2132-381-0x00007FFC8CBB0000-0x00007FFC8D671000-memory.dmp

memory/620-382-0x000000001BFF0000-0x000000001C002000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 293a5e452e148112857e22e746feff34
SHA1 7a5018bf98a3e38970809531288a7e3efb979532
SHA256 05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551
SHA512 7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17fbfbe3f04595e251287a6bfcdc35de
SHA1 b576aabfd5e6d5799d487011506ed1ae70688987
SHA256 2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512 449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6