Malware Analysis Report

2024-10-10 13:00

Sample ID 240617-bkllqsxcrd
Target 76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
SHA256 76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d

Threat Level: Known bad

The file 76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

UAC bypass

Process spawned unexpected child process

DCRat payload

Dcrat family

DcRat

DCRat payload

Detects executables packed with SmartAssembly

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

System policy modification

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 01:12

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 01:12

Reported

2024-06-17 01:14

Platform

win7-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files\DVD Maker\wininit.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files\Windows Defender\ja-JP\csrss.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files\Windows Portable Devices\explorer.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files\Windows Portable Devices\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files\DVD Maker\56085415360792 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files\Windows Defender\ja-JP\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ja-JP\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Vss\Writers\Application\dllhost.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File opened for modification C:\Windows\Vss\Writers\Application\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Windows\Vss\Writers\Application\dllhost.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Windows\Vss\Writers\Application\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Windows\rescache\rc0006\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Windows\inf\dllhost.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Windows\inf\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 1744 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 1744 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 960 wrote to memory of 1032 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 960 wrote to memory of 1032 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 960 wrote to memory of 1032 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 960 wrote to memory of 2192 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 960 wrote to memory of 2192 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 960 wrote to memory of 2192 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 960 wrote to memory of 2616 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\cmd.exe
PID 960 wrote to memory of 2616 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\cmd.exe
PID 960 wrote to memory of 2616 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\cmd.exe
PID 2616 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2616 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2616 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1032 wrote to memory of 2724 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 1032 wrote to memory of 2724 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 1032 wrote to memory of 2724 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 2724 wrote to memory of 2408 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 2724 wrote to memory of 2408 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 2724 wrote to memory of 2408 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 2724 wrote to memory of 1824 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 2724 wrote to memory of 1824 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 2724 wrote to memory of 1824 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 2616 wrote to memory of 2232 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 2616 wrote to memory of 2232 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 2616 wrote to memory of 2232 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 2724 wrote to memory of 696 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\cmd.exe
PID 2724 wrote to memory of 696 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\cmd.exe
PID 2724 wrote to memory of 696 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\cmd.exe
PID 696 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 696 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 696 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2408 wrote to memory of 2844 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 2408 wrote to memory of 2844 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 2408 wrote to memory of 2844 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 2844 wrote to memory of 2304 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 2844 wrote to memory of 2304 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 2844 wrote to memory of 2304 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 2844 wrote to memory of 1152 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 2844 wrote to memory of 1152 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 2844 wrote to memory of 1152 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 696 wrote to memory of 880 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 696 wrote to memory of 880 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 696 wrote to memory of 880 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 2844 wrote to memory of 484 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\cmd.exe
PID 2844 wrote to memory of 484 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\cmd.exe
PID 2844 wrote to memory of 484 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\cmd.exe
PID 484 wrote to memory of 2972 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 484 wrote to memory of 2972 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 484 wrote to memory of 2972 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2304 wrote to memory of 1616 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 2304 wrote to memory of 1616 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 2304 wrote to memory of 1616 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 484 wrote to memory of 1348 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 484 wrote to memory of 1348 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 484 wrote to memory of 1348 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe
PID 1616 wrote to memory of 2140 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 1616 wrote to memory of 2140 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 1616 wrote to memory of 2140 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 1616 wrote to memory of 612 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 1616 wrote to memory of 612 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 1616 wrote to memory of 612 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\WScript.exe
PID 1616 wrote to memory of 2624 N/A C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe C:\Windows\System32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\Application\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\Application\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\inf\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\inf\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\Application\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\Application\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe

"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3d9c020-32f5-4925-a35c-3f84e0aea401.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdfd84b7-f76e-48c5-98b5-91cdb5474d6e.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe

"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6da34303-1e54-4da0-8410-22ba6434089d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17a14373-708a-4c6e-b843-b940668cd897.vbs"

C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe

"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe

"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4783d3d0-9214-4696-a2c9-c47a6c342dbb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f02c796-f641-4602-9e01-578c9bece96b.vbs"

C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe

"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe

"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"

C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe

"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6daca6e-cf87-454d-9ddf-1689b4d38326.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfb5ee55-1cb8-48ab-8075-ef2754ec4cb5.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe

"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"

C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe

"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ebf90b0-921b-4a46-b945-26c0100cc2bb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d98c515c-862a-4a22-92f5-84a4390ceffe.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe

"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edc0abb5-ac17-4fc7-a538-c4bf04ab467f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2ac34bb-22dd-49df-900b-2ea5b6fa2455.vbs"

C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe

"C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp

Files

memory/1744-0-0x000007FEF5553000-0x000007FEF5554000-memory.dmp

memory/1744-1-0x0000000000B00000-0x0000000000CC0000-memory.dmp

memory/1744-2-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

memory/1744-3-0x0000000000240000-0x000000000024E000-memory.dmp

memory/1744-4-0x0000000000250000-0x000000000026C000-memory.dmp

memory/1744-5-0x0000000000540000-0x0000000000556000-memory.dmp

memory/1744-6-0x00000000004F0000-0x0000000000502000-memory.dmp

memory/1744-7-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

memory/1744-8-0x0000000000A90000-0x0000000000A9A000-memory.dmp

memory/1744-9-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

memory/1744-10-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

memory/1744-11-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

memory/1744-12-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

memory/1744-13-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

memory/1744-15-0x00000000020D0000-0x00000000020DE000-memory.dmp

memory/1744-16-0x00000000020E0000-0x00000000020EC000-memory.dmp

memory/1744-14-0x00000000020C0000-0x00000000020CA000-memory.dmp

C:\Windows\Vss\Writers\Application\dllhost.exe

MD5 3fee7ded96ac1d470212d26fccc60898
SHA1 e2c6d4561548dab022de28002fdee09daf90eae6
SHA256 76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d
SHA512 4bbbab7f897295df7ad67ccaf9362557ece7ce352716cad8a7529ab7824b01732a9dcadf96954611c1c6628e1c0d3c59787daf243172bf1b5f12a6e6e9278ea0

memory/960-49-0x0000000001310000-0x00000000014D0000-memory.dmp

memory/1744-50-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c3d9c020-32f5-4925-a35c-3f84e0aea401.vbs

MD5 696485736619f1d9ff5de016110fb453
SHA1 a96e352e07dd441ffc6e79cd64dc0f05718e998a
SHA256 f57e09032ae4bd7ba6afb4049e51763d1093ec00e21111adbd49edc4c7be99a2
SHA512 b65f05d42878a48e622519efd4de916061be1ab9cf550e4855c4523be5bfdb28bd974390313f4af7a300d13abde26fac337a6120a27cf2db4a898b580fb44e6f

C:\Users\Admin\AppData\Local\Temp\cdfd84b7-f76e-48c5-98b5-91cdb5474d6e.vbs

MD5 a6924cb51f8897ac37278d6a24cba82d
SHA1 0bb3ba91c2000f584de0033e0b25f0f8f2db4d11
SHA256 deb063cae78c7b4030b32ed319db6af2b2e652558b848542936ef7e491aa7783
SHA512 edfe1fdf6455a8e64f2ef75ee407456c30753ea97498014d8a19e6cbb2fd76a29f9a8df84294fded1975879ee9252415d736f340a4560fb893bfac0aa1b5ed27

C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat

MD5 85ad34e9a329da699524548d774acd9b
SHA1 1da19d29ee6c56e0901c92e9c832c02bb7001ead
SHA256 7e6a3447725faf2d94da8b268b8d6b30a787a8ca950dc05d158a352bbb29f27a
SHA512 bd90478dc9f9e387f655d65f9ef97d6f09b85ad2d477a3b1852efad127b55385ab7e15f48203a345892861745c01ca28e7793bc06da743fa974a4c0b4eee3856

memory/2724-66-0x0000000000280000-0x0000000000440000-memory.dmp

memory/2724-67-0x0000000000270000-0x0000000000282000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6da34303-1e54-4da0-8410-22ba6434089d.vbs

MD5 a407f846413460c82cef53b34cc53257
SHA1 9497a0d8e6cbfccef41641b32ec8762df329e299
SHA256 9ca9b83b9050583bc5c88cbdee4c32404d1b26d1b84547c196d8f6215e82bb6a
SHA512 8be9fea103350a9324962126871ec75dc023ef9a25c61fcd5b24b3d392c55839d6808fed0982eec1e7400cf603df8da3c922898fbbb76339214bc72e7411a046

C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat

MD5 3e76afb0774f156e00ee46b479c66ee3
SHA1 d0f1292631dc05ff9fd794a3c8ae3d2fdef31e6b
SHA256 9aed81b9a8984e5d9764bd1414e5ca5ed60099033c682e1ad941e00169a22d08
SHA512 15efeeae00646c89a16b393ab93431e4ca0798ad47fb266721ff61aa1ea21c8dd787a69f838ed254074bd8475453688ece26d12957ac3f6b73ba377088d1e209

memory/2844-85-0x0000000000840000-0x0000000000A00000-memory.dmp

memory/2844-86-0x00000000001D0000-0x00000000001E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4783d3d0-9214-4696-a2c9-c47a6c342dbb.vbs

MD5 1389965b2bf8054a423f461898203e0a
SHA1 f624a54f1a96fb5f99351d80e3f317bd92147e76
SHA256 cd3b49236711e479c61c0927368e1e18535702a8308ef5827a2b0102898d8812
SHA512 4798baae862f647e04b91b121fe0ea0f47ead9fd7df2592160088d6a9b511cdffd9433ba5336feb0f1b9a06e431463fb16c3925131dc093d6248f08dc132e469

C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat

MD5 050e81505385e7b8676654d66d91491b
SHA1 ce6e08e8d472a1d86e2051ce415130149cac5f53
SHA256 0e65a5d613a023eae12503fda564a0fe7d6b078b7f1565981b63dbfebdea1236
SHA512 365c6668edfbded9a4d625ff94cf2ae1fb43323cc444f095b80b4379dac06b73a7230fa837b8a2584e697f2b16b30a6732682d7a17087e0e5ad58cfc73fc6857

memory/1616-104-0x00000000008E0000-0x0000000000AA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b6daca6e-cf87-454d-9ddf-1689b4d38326.vbs

MD5 8f1872eb06a55df08c060e8603e998fd
SHA1 92ceff3a0a66f3c9636282886507b4044ad2bc8b
SHA256 017889c8aba3b7f375ff0937278e8291ad4503df338dda0490e9b3f48e3b30f5
SHA512 fd372b9d75bccbeb1fbf661fd55d0635b157edbedb4ce7f94a05ee83ac23a6871cd0622a58e74e6ef3297fe5aa1efb6ad553f517e3836d9de124cd6f8dcd3cc5

C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat

MD5 f6be5e20d69f638d3687fa208b14ff8d
SHA1 46b64fe249437dcda01ceae6131fb00251d2a3f9
SHA256 37ac3dc9263d4200b47b6789729ee0097d4247123d47507789ef76773d92f420
SHA512 a4a0c20f963235bbf9761562e39a8e6c6819ae16e43395ea6765c689c6bfdeb0ed11e6680ced920ed1cc6c588c12542157facd9b95b556f7a095348bb06ee5c7

memory/2732-122-0x0000000000D50000-0x0000000000F10000-memory.dmp

memory/2732-124-0x0000000000150000-0x0000000000162000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8ebf90b0-921b-4a46-b945-26c0100cc2bb.vbs

MD5 172b13d927bea81bace1ee628b7dfa22
SHA1 a02c78759847865ff45b6157c06172312f86ca25
SHA256 382a4ac2c3b053fc953e4d5aae22e76c1babd5ee1f8382cee6e556801c92cd78
SHA512 2c21ff8196286ecf468598ce781eceae569485cd62d39dcafe9697f6b4956bf4294c00b4361666ab7b19187ced49c59c39650d5074f690ab6a375ee593b4e15e

C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat

MD5 96deed62975dc353a4fbd01d263bd906
SHA1 a056f7f5f76aa187cb984e77d61874d102954936
SHA256 8a02ea05b70f451fd129ec135374dc5c4943b55989c98950dc10da850c2b72b2
SHA512 aafea06fc8d1b1ccf49cb7c5bb982ebaf65d3e4f1152a76c8b5f3003d34fe19855a7f6273fb0e8990329bbc61b1a6155210c725a9eb26c8f0b7fa38d6ead6926

memory/2132-141-0x0000000000DC0000-0x0000000000F80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\edc0abb5-ac17-4fc7-a538-c4bf04ab467f.vbs

MD5 1e3a714e226f03b4a14780b59fd11ede
SHA1 b63423c7f87a1962907d7e54ed30f6f867a5938c
SHA256 e4e4acc1b2c74bea87fa9eb841fee3f584c946eb092f04443de062abb673d5e8
SHA512 f3ff4899c102d82c7a73b8a1eff66c4bd0e6df3b9383a98fecafeea6d08e915b284fc82daacefc500233b40a29c5b2c226b2f27fa501cdb0e3ef102016b1a972

C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat

MD5 052ea7bb8a23dea455870ed14e3919d3
SHA1 f1584d5911ee970a3535dc174290c703f3db42a7
SHA256 606cde1208d981a10d0659ce869696724d6eaaac467b1cbe69d1df28f6d5a7e4
SHA512 ac2ca17930918dcef71ee575ea04ec107903025c8f05248b9b1e5cec22844e96e98db17500dd5c1434a994a9e04d9fbd088f51fbbd1bdb5f859c12d837196af4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 01:12

Reported

2024-06-17 01:14

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Multimedia Platform\sysmon.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files\Windows Multimedia Platform\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Internet Explorer\SIGNUP\3fdd53c7531fcc C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Adobe\wininit.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Adobe\56085415360792 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\csrss.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WaaS\tasks\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Windows\Provisioning\Autopilot\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Windows\Provisioning\Autopilot\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 2512 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 1844 wrote to memory of 3196 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 1844 wrote to memory of 3196 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 1844 wrote to memory of 4836 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 1844 wrote to memory of 4836 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 1844 wrote to memory of 3548 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\cmd.exe
PID 1844 wrote to memory of 3548 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\cmd.exe
PID 3548 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3548 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3196 wrote to memory of 2896 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 3196 wrote to memory of 2896 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 3548 wrote to memory of 3320 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 3548 wrote to memory of 3320 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 2896 wrote to memory of 1988 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 2896 wrote to memory of 1988 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 2896 wrote to memory of 4332 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 2896 wrote to memory of 4332 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 2896 wrote to memory of 4924 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\cmd.exe
PID 2896 wrote to memory of 4924 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\cmd.exe
PID 4924 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4924 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1988 wrote to memory of 5068 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 1988 wrote to memory of 5068 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 5068 wrote to memory of 2176 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 5068 wrote to memory of 2176 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 5068 wrote to memory of 1172 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 5068 wrote to memory of 1172 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 5068 wrote to memory of 4980 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\cmd.exe
PID 5068 wrote to memory of 4980 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\cmd.exe
PID 4980 wrote to memory of 516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4980 wrote to memory of 516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4924 wrote to memory of 2568 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 4924 wrote to memory of 2568 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 2568 wrote to memory of 4472 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 2568 wrote to memory of 4472 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 2568 wrote to memory of 2684 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 2568 wrote to memory of 2684 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 2176 wrote to memory of 4876 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 2176 wrote to memory of 4876 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 4980 wrote to memory of 1104 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 4980 wrote to memory of 1104 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 2568 wrote to memory of 3548 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\cmd.exe
PID 2568 wrote to memory of 3548 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\cmd.exe
PID 3548 wrote to memory of 1136 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3548 wrote to memory of 1136 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4472 wrote to memory of 2372 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 4472 wrote to memory of 2372 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 3548 wrote to memory of 4812 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 3548 wrote to memory of 4812 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 2372 wrote to memory of 3460 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 2372 wrote to memory of 3460 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 2372 wrote to memory of 5116 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 2372 wrote to memory of 5116 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 2372 wrote to memory of 3196 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\cmd.exe
PID 2372 wrote to memory of 3196 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\cmd.exe
PID 3196 wrote to memory of 2888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3196 wrote to memory of 2888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3460 wrote to memory of 2472 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 3460 wrote to memory of 2472 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
PID 2472 wrote to memory of 4940 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 2472 wrote to memory of 4940 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 2472 wrote to memory of 1132 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe
PID 2472 wrote to memory of 1132 N/A C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d7" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d7" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Provisioning\Autopilot\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Provisioning\Autopilot\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Autopilot\sppsvc.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b876f832-f1f7-423a-b713-debfeab4aa96.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91921fb4-3bc4-4050-aa17-8b69db4d4d30.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jhJpXqSaXt.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3576606c-d162-4362-bc50-1dfbdb66e09c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a790515-76c2-4b74-9793-36086754375f.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe0e0668-e77a-4a7d-967c-8fa434ecaf1c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\476e8edf-4f74-429a-bebd-baf209ade9d2.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1f98294-b8f0-4246-979d-ce0008475972.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e070f35-e38c-40ae-8a2e-dbc19f4d1fcb.vbs"

C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4075010-9856-4de2-95de-efd71ff675bd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\314584ab-4bb9-431b-938b-edbdea25e330.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b07ac98-a516-4e58-96c1-c3e40a651bdd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89a466c0-ebbd-4741-9429-2450b8041132.vbs"

C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58cc7392-b918-4d7d-baf8-66bbb67e4ba8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91e20d13-12cf-4c82-9d05-9a0dd10020ff.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Program Files (x86)\Internet Explorer\SIGNUP\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa4125fd-8f80-430e-818f-f3df7e886c74.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85ca39cf-e20d-4d05-bbbb-bec79c8a355a.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp

Files

memory/2512-0-0x00007FFEFB383000-0x00007FFEFB385000-memory.dmp

memory/2512-1-0x00000000005E0000-0x00000000007A0000-memory.dmp

memory/2512-2-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

memory/2512-3-0x0000000002880000-0x000000000288E000-memory.dmp

memory/2512-4-0x000000001B370000-0x000000001B38C000-memory.dmp

memory/2512-5-0x000000001BBA0000-0x000000001BBF0000-memory.dmp

memory/2512-6-0x000000001BB50000-0x000000001BB66000-memory.dmp

memory/2512-7-0x000000001BB70000-0x000000001BB82000-memory.dmp

memory/2512-8-0x000000001BCF0000-0x000000001BD00000-memory.dmp

memory/2512-9-0x000000001BB80000-0x000000001BB8A000-memory.dmp

memory/2512-10-0x000000001BB90000-0x000000001BB9C000-memory.dmp

memory/2512-11-0x000000001BD00000-0x000000001BD08000-memory.dmp

memory/2512-12-0x000000001BD10000-0x000000001BD1C000-memory.dmp

memory/2512-13-0x000000001BD20000-0x000000001BD2C000-memory.dmp

memory/2512-17-0x000000001BF60000-0x000000001BF6C000-memory.dmp

memory/2512-16-0x000000001BE50000-0x000000001BE5E000-memory.dmp

memory/2512-15-0x000000001BE30000-0x000000001BE3A000-memory.dmp

memory/2512-14-0x000000001BE40000-0x000000001BE48000-memory.dmp

C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\csrss.exe

MD5 3fee7ded96ac1d470212d26fccc60898
SHA1 e2c6d4561548dab022de28002fdee09daf90eae6
SHA256 76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d
SHA512 4bbbab7f897295df7ad67ccaf9362557ece7ce352716cad8a7529ab7824b01732a9dcadf96954611c1c6628e1c0d3c59787daf243172bf1b5f12a6e6e9278ea0

memory/2512-47-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

memory/1844-48-0x0000000003210000-0x0000000003222000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91921fb4-3bc4-4050-aa17-8b69db4d4d30.vbs

MD5 71727252e782b99c32aee0d01e55d21c
SHA1 e1537376a9cfdf677b5d3f67dc9c3529b6a8b5a5
SHA256 69849267be2f3e3889b7a8943f33576c719f3b18378358875cf5ac6f91ec2c90
SHA512 f24b3f6fae47d45ed017b60ea10430e9069081b0cec0c91e3e826a2cb79ede87716b7c43108f90e4c79fbef8ff01549cc94e95a1dc0378274604c38590efeb15

C:\Users\Admin\AppData\Local\Temp\b876f832-f1f7-423a-b713-debfeab4aa96.vbs

MD5 a057da956afef941cab0d7e302ba2c86
SHA1 829906a672675c0f11c81ba1ccb2d967aa42d7d0
SHA256 9b6bb2ac757638fc258cf6011ce842b77a7e728c5391a2201ca9492d2add3d4f
SHA512 89df7e3aa6d5c702165472e2c393b8a61c1b581abddb04727e37adfe23bee154b844351b7e1b012c0e270ea8e75833ef873ee648b96e7772f4c52a7cb01a5bf9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe.log

MD5 c6ecc3bc2cdd7883e4f2039a5a5cf884
SHA1 20c9dd2a200e4b0390d490a7a76fa184bfc78151
SHA256 b3d90663a46ee5333f8f99df4d43c0c76bf3902e3ba3ab36c0903027176d340d
SHA512 892a8f8e50ff350e790e1543032c64b3e1c050198b1810f89b6ce8a23de947a3e8299e880f0e79da7e4b5373a6b95e7dd7814cd5d7406a1553ef104ff2ff091e

C:\Users\Admin\AppData\Local\Temp\jhJpXqSaXt.bat

MD5 a8ece911de076c8987b5f5f581a2f80b
SHA1 b571875672643029069ab3a3926c4a5f45d817dc
SHA256 807419ce01e77e3609736ff65ce9ebd40c41fd440a9ee99c9827210a7dcc86ad
SHA512 525bbea35e32f93ad3f15300f016914f38c39a6caa0cfa738ee0f53a8fc6923066c8a97e3da2c4f0d51c125209820eb4a5fd30726c76d0ed77075523669ff8ab

memory/2896-65-0x000000001BC00000-0x000000001BC12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3576606c-d162-4362-bc50-1dfbdb66e09c.vbs

MD5 aad93cf26c55b36b12ca94aecedd39f3
SHA1 7f3d80676bafa261d878b6aeea63a79abcbe1009
SHA256 43a35bc37b7f3c210fde35562e44debb27f73103cb4545c9e0f9a491639f7e11
SHA512 fce64a1f0c37278e685eabfb90f92b00ce38f36b6e32097de98fa083af96516962af006766aa20b607c86ba19c614e32f0ccfa433e92114defedcfa83a153702

C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat

MD5 e9f235d781d86794521735a9ca72e536
SHA1 6127db49a88062ad837a37a33f6899970e347595
SHA256 418c5190912e2965279a668e86ac83e816b908eeb3bc301fd3b19ffcf97a9b50
SHA512 dd082b8b1dfe9c1e48ff62ffbdab40be877209105689da3d36e7be0060f46aaf1beea8cbd22e33c744ff11f15dbb2a2c514411cc2118e2b357b898186c545903

memory/5068-83-0x0000000002C20000-0x0000000002C32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fe0e0668-e77a-4a7d-967c-8fa434ecaf1c.vbs

MD5 812bc4d953cd7a0b6580285f22fe4a5f
SHA1 c6f697bfcadfe549ec9405e8df36fc1c1d5be817
SHA256 6d6865e4b399b008d6a5fb6d580845e08104b2f295b12eb756190cf0120dca02
SHA512 f2abe3f1cdf950afc75b77a9566218ec760c31d433d21f0a52e83b3234d557e6adecd59db3785a6845098c2e340fa477dd8b7f09d71cba6ca47e111e388be8aa

C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat

MD5 96fbe7b3fa76aced4dfa7d42ffc2ae54
SHA1 f870009f3b80bfdd27dbbc780e09d6a327b783f9
SHA256 2489d871ccd5350abd2346100ec7222a0256cb47469b5ee35687b4f46659ab92
SHA512 82ae8a4b2bb5ad7834cf7d38db0ddd5c350baaaa8e663ea6b58e7b9ba56337b9ac20824fc59096e00f718b592b9a1707e53ceea1c6af6c0edeec4bc0b8bd1f91

C:\Users\Admin\AppData\Local\Temp\c1f98294-b8f0-4246-979d-ce0008475972.vbs

MD5 f4f1778618e93b095f6be0ec4522d65c
SHA1 e362d87c9522f769f8b22df6317551283cf8dd76
SHA256 878d32cc13ffacd623b186986466f03cec7905e3feb256473a54bfdfaf603cfd
SHA512 718bee088c812fbe4f8f6272b41fbed1c3a18f6a259da6e387bca51cd3ea594c956a20c297ea63036576b61ea50018a7f27847120667ed9b21d5f16af5c3dfa2

C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

MD5 3abe85e84c7edbc5fd338a15a35c1b2e
SHA1 c2f24d5cfe46f26402221e5ec30d24f46560b3e4
SHA256 611dae7151e0620fb70b4cdb37c502dd4277c22764711d8a43ce438e3ed3de0f
SHA512 68680af8c912ee85ac486baeceeaa375516b6fac9e4e06985bbeb51b77d8d3494bcb4224d3d2643d1e61adc46e2bdc7770fcf62b441d39e4c33c8efb591442c6

C:\Users\Admin\AppData\Local\Temp\a4075010-9856-4de2-95de-efd71ff675bd.vbs

MD5 43cb5dad1d0e2eeaa6d3c5482c11a8e2
SHA1 9c31b7c8c00f45818a5805e903ffbcda46158c79
SHA256 2037794e1ee6b029c62781b25ccaa7e1dab0aed78ce538e6f84951161b367801
SHA512 68ff00e7e4411d9f059efe7e963dcb633f86845645e2c3464f3eb94d4845d8912cf74a8be058b6e12b481b38f156a8f63b8ada15edf9d70f86348d479b80889e

memory/2472-135-0x00000000028F0000-0x0000000002902000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2b07ac98-a516-4e58-96c1-c3e40a651bdd.vbs

MD5 c8e042c2a04a57f535407f43522e2544
SHA1 996ca6735a93442f079b69cf911fbbcadc944b10
SHA256 bb47d6eb679bd38faacdc90cfb429db11f1e56b5ace4e1e370ff43375dc177fb
SHA512 6974a939bcca201ca88ece9cceba526142426a4f572e8de479353a1f0930bf94cded91b0ee1cc9bf083a497eee80e5072fda344af5ffee7ceb6d09c13fe29552

C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat

MD5 546509f3243b1178780f1ef06e90a131
SHA1 91ba9030da56567fdf60ff5a778d0085ceff8f6a
SHA256 b6d29ad0720606f90535048e6bb892f92506a90d79b0c074d12c407616636268
SHA512 ade43a6817b89542547cdb42d5453165f7bb5e37346ec46a14b1ac23d669351b53e7e3b032d60f6aafb4e9836721b12a921863ca1a1084a840cbba53be64428d

memory/2348-153-0x0000000000B90000-0x0000000000BA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\58cc7392-b918-4d7d-baf8-66bbb67e4ba8.vbs

MD5 ce004b4af6673cace6f32eec7de6bdf0
SHA1 ea332d76808ca776638882dc4a8e47d5dc5d7c93
SHA256 ceb168ab66ad1fd2b5a7685692c0f87fd7665416c44b586ce4f1360b77b736ee
SHA512 748cf698a2998bc03426c279cec4e11d5d5556bbd2ae367ea06c823e24e1d00bcecb72fb57561861dd48b5568c3925857ab3f43d2713b360be0113d4f54fbdae

C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat

MD5 c367e9c9450eb25939a0b7200b4cabcb
SHA1 8dabd6e4f90bea49fc06550de5242023353f2f74
SHA256 4b24edf3d8e0d8413db1d917ed094a157ecf56f182a5d84ea8e9774d600904fc
SHA512 5d3d92eb823b27b3ff08506c1570ade78582b64b4cf034c0deb7e40def47a39d871b8eeb0e94b60a181e1592213f41e34b9e453702a6b30e57a31c1d06eff2b8

memory/636-171-0x0000000003180000-0x0000000003192000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aa4125fd-8f80-430e-818f-f3df7e886c74.vbs

MD5 66cde97d652ae99160fa56afdea7f349
SHA1 5eb365202f632bbf9e0d37ce84cf9d458ffcfef8
SHA256 1d629c17ef8b58cb97129bfba1a1fa463bba1443b7ee7164181880327a24e6cb
SHA512 8117ec114599ea48ba1e3969aad959a7b5a6d456f7e412c9e239e18ed0ac3adf19a4a0ce6b4f506bd7ac87a3433333b89de917798a1fc2bac08ac85902d26a8c