Malware Analysis Report

2024-10-10 12:52

Sample ID 240601-k2gtjsha76
Target 959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
SHA256 959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915
Tags
dcrat infostealer rat execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915

Threat Level: Known bad

The file 959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat execution

DcRat

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 09:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 09:05

Reported

2024-06-01 09:08

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2364 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 2728 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WerFault.exe
PID 2728 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WerFault.exe
PID 2728 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WerFault.exe
PID 2728 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe

"C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe"

C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe

"C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe"

C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe

"C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe"

C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe

"C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 780

Network

N/A

Files

memory/2364-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

memory/2364-1-0x0000000000E40000-0x0000000001150000-memory.dmp

memory/2364-2-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2364-3-0x0000000000490000-0x00000000004A6000-memory.dmp

memory/2364-4-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2364-5-0x00000000004B0000-0x00000000004BA000-memory.dmp

memory/2364-6-0x0000000009900000-0x0000000009B7A000-memory.dmp

memory/2364-7-0x0000000009B80000-0x0000000009DF4000-memory.dmp

memory/2728-8-0x0000000000400000-0x0000000000648000-memory.dmp

memory/2728-18-0x0000000000400000-0x0000000000648000-memory.dmp

memory/2728-19-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2364-20-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2728-16-0x0000000000400000-0x0000000000648000-memory.dmp

memory/2728-14-0x0000000000400000-0x0000000000648000-memory.dmp

memory/2728-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2728-10-0x0000000000400000-0x0000000000648000-memory.dmp

memory/2728-9-0x0000000000400000-0x0000000000648000-memory.dmp

memory/2728-11-0x0000000000400000-0x0000000000648000-memory.dmp

memory/2728-21-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2728-22-0x00000000007F0000-0x00000000007FE000-memory.dmp

memory/2728-23-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2728-24-0x0000000074A00000-0x00000000750EE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 09:05

Reported

2024-06-01 09:08

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Windows\de-DE\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\de-DE\csrss.exe N/A
N/A N/A C:\Windows\de-DE\csrss.exe N/A
N/A N/A C:\Windows\de-DE\csrss.exe N/A
N/A N/A C:\Windows\de-DE\csrss.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\icsxml\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Defender\en-US\RCXE797.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Google\RCXEEC1.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Common Files\RCXEAA7.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\RCXF464.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files\Windows Sidebar\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\04c1e7795967e4 C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Google\RCXEF3F.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files\Google\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\MoUsoCoreWorker.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\1f93f77a7f4778 C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files\Windows Sidebar\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Google\dwm.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\TrustedInstaller.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\RCXBA9.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\dwm.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RCXF668.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files\Common Files\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\RCXF3E6.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files (x86)\MSBuild\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files\Windows Defender\en-US\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\RCXE583.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCXF88D.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\RCXBA8.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\dwm.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\RCXF1C1.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files (x86)\MSBuild\sihost.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\sihost.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Common Files\RCXEA29.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCXF90B.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\TrustedInstaller.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files\Google\dwm.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\RCXE563.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files\Common Files\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\RCXE34E.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RCXF679.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Common Files\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\RCXF1D1.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\24dbde2999530e C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Windows Defender\en-US\RCXE7A8.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files\Windows Multimedia Platform\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\MoUsoCoreWorker.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Program Files\Windows Defender\en-US\dllhost.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\RCXE33E.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Program Files\Windows Defender\en-US\dllhost.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\DiagTrack\Scenarios\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Windows\DiagTrack\Scenarios\sysmon.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Windows\de-DE\csrss.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Windows\Sun\RCX701.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Windows\Sun\RCX77F.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Windows\DiagTrack\Scenarios\sysmon.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Windows\de-DE\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Windows\Sun\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Windows\DiagTrack\Scenarios\RCXFB8E.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Windows\de-DE\RCXFFC7.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Windows\de-DE\csrss.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File created C:\Windows\Sun\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Windows\DiagTrack\Scenarios\RCXFB10.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Windows\de-DE\RCXFFC8.tmp C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
File opened for modification C:\Windows\Sun\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\de-DE\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\de-DE\csrss.exe N/A
N/A N/A C:\Windows\de-DE\csrss.exe N/A
N/A N/A C:\Windows\de-DE\csrss.exe N/A
N/A N/A C:\Windows\de-DE\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5012 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 5012 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 5012 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 5012 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 5012 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 5012 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 5012 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 5012 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 5012 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 5012 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 5012 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 5012 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 5012 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 5012 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe
PID 3728 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\cmd.exe
PID 3728 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\cmd.exe
PID 3728 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 324 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 324 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 1892 wrote to memory of 3444 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe
PID 1892 wrote to memory of 3444 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe
PID 324 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\de-DE\csrss.exe
PID 324 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\de-DE\csrss.exe
PID 324 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\de-DE\csrss.exe
PID 2744 wrote to memory of 4512 N/A C:\Windows\de-DE\csrss.exe C:\Windows\de-DE\csrss.exe
PID 2744 wrote to memory of 4512 N/A C:\Windows\de-DE\csrss.exe C:\Windows\de-DE\csrss.exe
PID 2744 wrote to memory of 4512 N/A C:\Windows\de-DE\csrss.exe C:\Windows\de-DE\csrss.exe
PID 2744 wrote to memory of 3040 N/A C:\Windows\de-DE\csrss.exe C:\Windows\de-DE\csrss.exe
PID 2744 wrote to memory of 3040 N/A C:\Windows\de-DE\csrss.exe C:\Windows\de-DE\csrss.exe
PID 2744 wrote to memory of 3040 N/A C:\Windows\de-DE\csrss.exe C:\Windows\de-DE\csrss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe

"C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe"

C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe

"C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe"

C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe

"C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe"

C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe

"C:\Users\Admin\AppData\Local\Temp\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Common Files\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Download\MoUsoCoreWorker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\Download\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\TrustedInstaller.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\DiagTrack\Scenarios\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\DiagTrack\Scenarios\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\TrustedInstaller.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Saved Games\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Sun\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Sun\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Sun\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Recent\MoUsoCoreWorker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\Admin\Recent\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Recent\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bn7xdIGxz7.bat"

C:\Windows\SysWOW64\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\csrss.exe

"C:\Windows\de-DE\csrss.exe"

C:\Windows\de-DE\csrss.exe

"C:\Windows\de-DE\csrss.exe"

C:\Windows\de-DE\csrss.exe

"C:\Windows\de-DE\csrss.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef1fb8d2-a1a6-4d96-ab42-e869e9a993bd.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daa5d34a-e629-45bf-9a5f-80b31a1be89d.vbs"

C:\Windows\de-DE\csrss.exe

C:\Windows\de-DE\csrss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 m112298.hostde23.fornex.host udp
DE 212.224.113.81:80 m112298.hostde23.fornex.host tcp
US 8.8.8.8:53 81.113.224.212.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/5012-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

memory/5012-1-0x0000000000100000-0x0000000000410000-memory.dmp

memory/5012-2-0x00000000053C0000-0x0000000005964000-memory.dmp

memory/5012-3-0x0000000004E10000-0x0000000004EA2000-memory.dmp

memory/5012-4-0x0000000074B20000-0x00000000752D0000-memory.dmp

memory/5012-5-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

memory/5012-6-0x0000000005140000-0x00000000051DC000-memory.dmp

memory/5012-7-0x00000000050E0000-0x00000000050F6000-memory.dmp

memory/5012-8-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

memory/5012-9-0x0000000074B20000-0x00000000752D0000-memory.dmp

memory/5012-10-0x0000000005100000-0x000000000510A000-memory.dmp

memory/5012-11-0x00000000078D0000-0x0000000007B4A000-memory.dmp

memory/5012-12-0x0000000008E20000-0x0000000009094000-memory.dmp

memory/3728-13-0x0000000000400000-0x0000000000648000-memory.dmp

memory/3728-16-0x0000000074B20000-0x00000000752D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915.exe.log

MD5 95b0eabd8c9c516fc2d8632ff8f4dc10
SHA1 8118b2b54184a5add848198f36a905b9a511940e
SHA256 1ad8f00e485dbebe5a1f40f60b9e588e6563c4feef20b8134f335b3e16208dc3
SHA512 60147da0bc922f18e2eeae00dc7dda1caa432df6ed0f853cd4757535bf371536902c1ce1bc40db167540bbc79dedf9a742498fab5bafcbd1053c4b2dd9c79e62

memory/5012-17-0x0000000074B20000-0x00000000752D0000-memory.dmp

memory/3728-18-0x0000000074B20000-0x00000000752D0000-memory.dmp

memory/3728-19-0x0000000002B70000-0x0000000002B7E000-memory.dmp

memory/3728-20-0x0000000005CB0000-0x0000000005D16000-memory.dmp

memory/3728-21-0x0000000074B20000-0x00000000752D0000-memory.dmp

memory/3728-22-0x0000000074B20000-0x00000000752D0000-memory.dmp

memory/3728-23-0x0000000074B20000-0x00000000752D0000-memory.dmp

memory/3728-24-0x0000000002BF0000-0x0000000002C0C000-memory.dmp

memory/3728-25-0x0000000006B80000-0x0000000006BD0000-memory.dmp

memory/3728-26-0x0000000005730000-0x0000000005738000-memory.dmp

memory/3728-27-0x0000000005740000-0x0000000005750000-memory.dmp

memory/3728-28-0x0000000005E20000-0x0000000005E36000-memory.dmp

memory/3728-29-0x0000000006B40000-0x0000000006B48000-memory.dmp

memory/3728-30-0x0000000006B60000-0x0000000006B6C000-memory.dmp

memory/3728-31-0x0000000006C40000-0x0000000006C96000-memory.dmp

memory/3728-32-0x0000000006CC0000-0x0000000006CCC000-memory.dmp

memory/3728-33-0x0000000006CD0000-0x0000000006CD8000-memory.dmp

memory/3728-34-0x0000000006CE0000-0x0000000006CEC000-memory.dmp

memory/3728-35-0x0000000006CF0000-0x0000000006CF8000-memory.dmp

memory/3728-36-0x0000000006D00000-0x0000000006D12000-memory.dmp

memory/3728-37-0x0000000007300000-0x000000000782C000-memory.dmp

memory/3728-38-0x0000000006E20000-0x0000000006E2C000-memory.dmp

memory/3728-43-0x0000000006FD0000-0x0000000006FDC000-memory.dmp

memory/3728-42-0x0000000006E80000-0x0000000006E88000-memory.dmp

memory/3728-41-0x0000000006E70000-0x0000000006E78000-memory.dmp

memory/3728-40-0x0000000006E50000-0x0000000006E5E000-memory.dmp

memory/3728-39-0x0000000006E30000-0x0000000006E3A000-memory.dmp

C:\Recovery\WindowsRE\OfficeClickToRun.exe

MD5 b0a2f53baa478b541ddab184cb0b3820
SHA1 4a7c64dad7d8e9b468f81af6112d2c7fec3d79e7
SHA256 959800fa97270fcdfc8dd6795a1040a0972a8be32820950ff79551b7a1800915
SHA512 8b31cacd4eddbf829da987bb65a64a9cef4de31a5762031ed5b542f18bf91e43f1883a90f2fb82fb5c669c332a9facb28b9f2609aca7dc4af3b35036ac5d1a5d

C:\Program Files\Common Files\spoolsv.exe

MD5 a30f1b1a6c79f19535351296549fe316
SHA1 32c0f7cfb4cbcb4ccc65513cbf2b1b54f46a10a5
SHA256 9084c5243b4a27b77a2d146d576cac4e3c976141d0c9046c1e3059445a1b2084
SHA512 8b8807e989af8ae4751d87f6902071b94a8a644799ca7d283739ca9bb13ffb414ac4e63e3d7eeb4cf3635b040d4de3dfda4e57bdc63701e1ceb2cc4c71ad0082

C:\Program Files\Windows Sidebar\RuntimeBroker.exe

MD5 19febcab1667c460127fdbd6afcd1f11
SHA1 3cfbfba0c68a6c36137ec84b04fb78bb9ed3e268
SHA256 4482c20b2f4f0f9e7c07e7547e0577e5823aae6b4e33de4ce1946a0d5d70aa1c
SHA512 4cbd43333ba98cd2bc1852522967beae073c293439ae80d3940ca3a54e45c20529f522439cf03ec8427f39ad4e32eb634026bb40c196e8da9e94257b5c2db6c5

C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe

MD5 0fa93d246d1ce3c9e8dbac635b5dcfb0
SHA1 0052cc45eb54a1398e220b0944d031c584aaea57
SHA256 47b2d6f1abf28ffa197876a784cc2cc45f699593463944f9cd31dd3b5fd63f12
SHA512 297183d572680c19278a216d1118febd8cbca755815275057b7fa30574a02f907007b4ba48107426042c6f535f76a0a40fd32df68e6d956b0038f912d078a5e5

C:\Windows\DiagTrack\Scenarios\sysmon.exe

MD5 3212a305b1d5a3be435249ecf22e5b91
SHA1 fa7523dbbf1dc7c3785b0e75fac24cf230df7b62
SHA256 7934f28bdca0663f93305c84b561ee25cd49cf615206f5bf0c73970bcedf36f5
SHA512 dde0d98c16dc99916f70e02c5b8284dbca7f41079138c4fe004c2a2090f5ef0baa20057ea438ed02cf1fa88872095d5f995a3b6377004b6f92fb063a9c2fc341

memory/3728-236-0x0000000074B20000-0x00000000752D0000-memory.dmp

C:\Windows\Sun\spoolsv.exe

MD5 7684cadb52195f9c4638eaae7ffa7194
SHA1 c1672d3b814b830aa08335c23db0c9590ec79842
SHA256 e61941bf7a65b0bdfff361dac6c9dda2d3a25bde7906ce7d476084ca166530c5
SHA512 d24ce6ff0cfb4162a899407b37608ba6eb3b1e17332712b8584b20b8e2261d5238ce71f3e6ea28dcf89a7147c76113bfea3319af58abda300b57e4cb5d57b4d0

memory/3728-283-0x0000000074B20000-0x00000000752D0000-memory.dmp

C:\Users\Admin\System.exe

MD5 9492e6e646857b72ee0f3e26a15e30b6
SHA1 382b870f02dadcdfc66af6bafe079bc1cf32626d
SHA256 3d5a06a85a1d68ae9d1e3a2d9cb5cef96160e581018510d57c6250642f2a7f9d
SHA512 81db92a55e7de9263661d5a66fd48b57d034f9f1bfbc035ac08988ba45d10c71136f01417fa0e375541207ed830d162a350e05e7965ed37d9c9610575ebb8a30

memory/4452-310-0x0000000004960000-0x0000000004996000-memory.dmp

memory/3504-311-0x00000000054B0000-0x0000000005AD8000-memory.dmp

memory/4452-313-0x0000000005640000-0x0000000005662000-memory.dmp

memory/3728-320-0x0000000074B20000-0x00000000752D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eesg4qbq.l12.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4452-314-0x00000000057E0000-0x0000000005846000-memory.dmp

memory/4452-322-0x00000000058C0000-0x0000000005C14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Bn7xdIGxz7.bat

MD5 e556365b0f58e6fc5f8be02d46e55a44
SHA1 09cb702142c49ca435c6712609bfa4f5ecd96625
SHA256 5cb30fcc22e5defc30768826768b5d3af0808f525708e7afa940645f94938b34
SHA512 924037240f00ad011d52f271f3f18016b022580b5965b0f26ec1b473ebcfb31d2aff2ac9177c1d414afaae7d03a264c9a4de335f371e967545a9cf49f4f48ed4

memory/4452-417-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

memory/4452-418-0x0000000005F10000-0x0000000005F5C000-memory.dmp

memory/2280-419-0x0000000006E90000-0x0000000006EC2000-memory.dmp

memory/2280-431-0x0000000006F00000-0x0000000006FA3000-memory.dmp

memory/4428-432-0x0000000071320000-0x000000007136C000-memory.dmp

memory/2280-430-0x0000000006ED0000-0x0000000006EEE000-memory.dmp

memory/2280-420-0x0000000071320000-0x000000007136C000-memory.dmp

memory/3564-442-0x0000000071320000-0x000000007136C000-memory.dmp

memory/3212-459-0x0000000071320000-0x000000007136C000-memory.dmp

memory/4552-472-0x0000000071320000-0x000000007136C000-memory.dmp

memory/4452-452-0x0000000071320000-0x000000007136C000-memory.dmp

memory/3504-483-0x0000000071320000-0x000000007136C000-memory.dmp

memory/3184-482-0x0000000071320000-0x000000007136C000-memory.dmp

memory/816-502-0x0000000071320000-0x000000007136C000-memory.dmp

memory/2016-512-0x0000000071320000-0x000000007136C000-memory.dmp

memory/2280-522-0x0000000007680000-0x0000000007CFA000-memory.dmp

memory/4428-523-0x00000000070A0000-0x00000000070BA000-memory.dmp

memory/4444-524-0x0000000071320000-0x000000007136C000-memory.dmp

memory/4452-534-0x0000000007280000-0x000000000728A000-memory.dmp

memory/3212-535-0x00000000078C0000-0x0000000007956000-memory.dmp

memory/2280-536-0x0000000007240000-0x0000000007251000-memory.dmp

memory/4428-540-0x00000000072D0000-0x00000000072DE000-memory.dmp

memory/4552-541-0x0000000007D00000-0x0000000007D14000-memory.dmp

memory/3564-542-0x0000000007C40000-0x0000000007C5A000-memory.dmp

memory/3564-543-0x0000000007C20000-0x0000000007C28000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bde9cc61be1a6fad695af8117bba0f3e
SHA1 0682df61360540184e32f941cb3d54e6b4341bba
SHA256 de026a069829e5a5440a2ff8fad5be9efdf19f532a91fc9d336fc741c487c1f2
SHA512 60a12c7356442f698bd32f7e80a51dafb4aacac03a097aa78d600b1d449143a880ad958d12a2f8a91fa5950badf9246dcac436f71be43c5dc178ea063f51da3f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 df1ca8d9ad9f3cb98083560423dbe15d
SHA1 1b73b7ba17860223878cbda0b287bc34d00bc69d
SHA256 1ed1b788d6b3bf5f25b0c14ca143c9d4f9a5a4be75ef165c204fda20da599eb9
SHA512 7ce9c450141daea1ae3f752c410e0d8a6056798e7f1a3d7ba686326a650885b60b3011c96baf7b6b6cecfde5e3d28a5c2df7733ff394e45351aaa0e59ab84104

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 57ff1c1579570510a16ec2b1ecfc038d
SHA1 f650324a9edc31bcf1841397caf4e32ef025bb35
SHA256 6e789b194458a7d9c1d6ddb77b1db08bc786f3f77112b49bf5491cdd6361f5da
SHA512 269669c982048d96df5e742c33ae313d9e3d65169a68471ad7bf2b701412d6ae0052cf753c05d1eff54938c8e31b0e29785a98e929901e113b8a6060eee0f944

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8792f3c11c6158244335c2a8a22618e6
SHA1 3bd98713c875f14bc422abd1db8503e218c63d5e
SHA256 3114c8b3ebe4ae91963dda99efe7f78dfa73d51ddb22487d49883ed42f6bab6e
SHA512 5ebada5bae6bdc86245899649fce274cb19d9de2814c4e1a18492ee49f2351bb2d231a700804231cc425ed7361ec9f522b3f4874c3b1829b97821d98a1f1ebe7

C:\Users\Admin\AppData\Local\Temp\ef1fb8d2-a1a6-4d96-ab42-e869e9a993bd.vbs

MD5 8d39c8d5f2bbcbf32cde5cb62f16515f
SHA1 1e594d6b58c1e000c1ff6073c38a931786e52769
SHA256 d911908c3bbc57323f84492b708b2d72cba6eb488fa8a2bf75a0291dd4194c73
SHA512 98a6d61a4c2e4b98150b2c98dc8c0aabce21df836b7509aaad14bcae62c0ca67f76cd98b3030744941b8f96c51da5453b9eec7f50f30b105d6e6dd56b4594a88

C:\Users\Admin\AppData\Local\Temp\daa5d34a-e629-45bf-9a5f-80b31a1be89d.vbs

MD5 9d6f3f4f984fad85c98e96aa5afc29ec
SHA1 7438485ec71d9092b7ef10ad600d325a9e31b7d4
SHA256 2c6e511c5126ab9d19abc0aa30efbf1d22e6ba0a453f14ea4c713209c0cfcf51
SHA512 14d1dbadec455d3cb201ede92bc1e55bf22d075c41b5826754e4f0313a80e920f774f2f42764674de6974b90d974f523b14a731e875f37d479c4c53a9149afd1