Malware Analysis Report

2024-10-10 13:00

Sample ID 240617-br8d3sxgnb
Target dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe
SHA256 dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e
Tags
dcrat evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e

Threat Level: Known bad

The file dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat trojan

Process spawned unexpected child process

UAC bypass

DcRat

Dcrat family

DCRat payload

DCRat payload

Detects executables packed with SmartAssembly

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Uses Task Scheduler COM API

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 01:23

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 01:23

Reported

2024-06-17 01:26

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Default User\RuntimeBroker.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\defaults\pref\services.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\MsEdgeCrashpad\attachments\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\MsEdgeCrashpad\attachments\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\dllhost.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\smss.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PrintDialog\pris\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Windows\LanguageOverlayCache\dllhost.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Windows\PrintDialog\pris\sihost.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File opened for modification C:\Windows\PrintDialog\pris\sihost.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Default User\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Default User\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Default User\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Default User\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Default User\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Default User\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Default User\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Default User\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Default User\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Default User\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Default User\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Default User\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Default User\RuntimeBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A
N/A N/A C:\Users\Default User\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe C:\Users\Default User\RuntimeBroker.exe
PID 2076 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe C:\Users\Default User\RuntimeBroker.exe
PID 1848 wrote to memory of 3928 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1848 wrote to memory of 3928 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1848 wrote to memory of 4324 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1848 wrote to memory of 4324 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3928 wrote to memory of 3940 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 3928 wrote to memory of 3940 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 3940 wrote to memory of 4564 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3940 wrote to memory of 4564 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3940 wrote to memory of 1664 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3940 wrote to memory of 1664 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4564 wrote to memory of 3804 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 4564 wrote to memory of 3804 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 3804 wrote to memory of 2796 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3804 wrote to memory of 2796 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3804 wrote to memory of 4592 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3804 wrote to memory of 4592 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2796 wrote to memory of 2256 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 2796 wrote to memory of 2256 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 2256 wrote to memory of 2712 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2256 wrote to memory of 2712 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2256 wrote to memory of 4428 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2256 wrote to memory of 4428 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2712 wrote to memory of 5092 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 2712 wrote to memory of 5092 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 5092 wrote to memory of 2040 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5092 wrote to memory of 2040 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5092 wrote to memory of 652 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5092 wrote to memory of 652 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2040 wrote to memory of 2996 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 2040 wrote to memory of 2996 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 2996 wrote to memory of 812 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2996 wrote to memory of 812 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2996 wrote to memory of 4360 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2996 wrote to memory of 4360 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 812 wrote to memory of 4088 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 812 wrote to memory of 4088 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 4088 wrote to memory of 3552 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4088 wrote to memory of 3552 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4088 wrote to memory of 3340 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4088 wrote to memory of 3340 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3552 wrote to memory of 3548 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 3552 wrote to memory of 3548 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 3548 wrote to memory of 1552 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3548 wrote to memory of 1552 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3548 wrote to memory of 4800 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3548 wrote to memory of 4800 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1552 wrote to memory of 3092 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 1552 wrote to memory of 3092 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 3092 wrote to memory of 3048 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3092 wrote to memory of 3048 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3092 wrote to memory of 3220 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3092 wrote to memory of 3220 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3048 wrote to memory of 1084 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 3048 wrote to memory of 1084 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 1084 wrote to memory of 4272 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1084 wrote to memory of 4272 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1084 wrote to memory of 3644 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1084 wrote to memory of 3644 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4272 wrote to memory of 2132 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 4272 wrote to memory of 2132 N/A C:\Windows\System32\WScript.exe C:\Users\Default User\RuntimeBroker.exe
PID 2132 wrote to memory of 1576 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2132 wrote to memory of 1576 N/A C:\Users\Default User\RuntimeBroker.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\RuntimeBroker.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe

"C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\PrintDialog\pris\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Windows\PrintDialog\pris\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\MsEdgeCrashpad\attachments\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\attachments\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\MsEdgeCrashpad\attachments\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Searches\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Searches\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Searches\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Users\Default User\RuntimeBroker.exe

"C:\Users\Default User\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5dd7910-fec2-47a0-98a1-27785bbad00c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9feb90e-dc31-4a04-9466-98e598bbaa6c.vbs"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2792,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8

C:\Users\Default User\RuntimeBroker.exe

"C:\Users\Default User\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6030248d-6274-47be-857e-ccd88748ed69.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0fd1f6f-c9bf-4375-a499-0d38da2231f3.vbs"

C:\Users\Default User\RuntimeBroker.exe

"C:\Users\Default User\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32bccad1-6edc-4f70-9faa-2f582254da16.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53a38bd3-c242-49cc-a03f-727c3b08a16a.vbs"

C:\Users\Default User\RuntimeBroker.exe

"C:\Users\Default User\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b95a0513-0181-46c0-a370-757d51d2bfe7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75eccb42-5635-4054-9af7-cba2f1b232ae.vbs"

C:\Users\Default User\RuntimeBroker.exe

"C:\Users\Default User\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb707b67-b18e-41a7-afac-c38590c0f904.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c48e1e5-1608-4b07-9aa6-103fb84709b9.vbs"

C:\Users\Default User\RuntimeBroker.exe

"C:\Users\Default User\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ade9232-6657-4a2e-a324-ce01f5fb9752.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d8c659d-d47f-46ee-b09c-cc6a50b1db98.vbs"

C:\Users\Default User\RuntimeBroker.exe

"C:\Users\Default User\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a5be7ad-c2c7-446f-bd16-bdd216ec9c67.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8321a70e-227b-40be-a9b4-6c1a57abcf5b.vbs"

C:\Users\Default User\RuntimeBroker.exe

"C:\Users\Default User\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b901701-f259-4183-a36d-f337f05fb471.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c61219ee-810f-4ba9-852a-3bf34c6c2677.vbs"

C:\Users\Default User\RuntimeBroker.exe

"C:\Users\Default User\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\625a3a3e-5cdd-45c5-a684-8bb5941154c9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65c4e1ae-5898-401e-8ce9-836bf7c95f10.vbs"

C:\Users\Default User\RuntimeBroker.exe

"C:\Users\Default User\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cac6afda-0919-45e8-af39-60dc1597cf0c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2017b690-5e2a-41c5-895d-02241a983678.vbs"

C:\Users\Default User\RuntimeBroker.exe

"C:\Users\Default User\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf837947-1958-486c-b23c-56d782063315.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b83e2c2-6953-4713-8379-680548d9dcaa.vbs"

C:\Users\Default User\RuntimeBroker.exe

"C:\Users\Default User\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15f12017-7981-4ab2-b993-c42cbb3bdefb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b69269ad-ca53-4987-9be8-b2db51c02ae1.vbs"

C:\Users\Default User\RuntimeBroker.exe

"C:\Users\Default User\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66f310c2-803f-40a7-8e33-bcafdd5f4e0a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b6c9358-33d4-4924-be6a-0be2dcb3e345.vbs"

C:\Users\Default User\RuntimeBroker.exe

"C:\Users\Default User\RuntimeBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 a0993445.xsph.ru udp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
US 8.8.8.8:53 93.192.8.141.in-addr.arpa udp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp

Files

memory/2076-0-0x00007FFFFEA03000-0x00007FFFFEA05000-memory.dmp

memory/2076-1-0x0000000000090000-0x00000000003FA000-memory.dmp

memory/2076-2-0x00007FFFFEA00000-0x00007FFFFF4C1000-memory.dmp

memory/2076-3-0x00000000025C0000-0x00000000025CE000-memory.dmp

memory/2076-4-0x0000000002730000-0x000000000273E000-memory.dmp

memory/2076-6-0x0000000002750000-0x000000000276C000-memory.dmp

memory/2076-5-0x0000000002740000-0x0000000002748000-memory.dmp

memory/2076-7-0x000000001AF90000-0x000000001AFE0000-memory.dmp

memory/2076-9-0x000000001AF50000-0x000000001AF60000-memory.dmp

memory/2076-11-0x000000001AF80000-0x000000001AF88000-memory.dmp

memory/2076-12-0x000000001AFE0000-0x000000001AFF2000-memory.dmp

memory/2076-10-0x000000001AF60000-0x000000001AF76000-memory.dmp

memory/2076-8-0x000000001AF40000-0x000000001AF48000-memory.dmp

memory/2076-13-0x000000001B020000-0x000000001B02C000-memory.dmp

memory/2076-14-0x000000001AFF0000-0x000000001AFF8000-memory.dmp

memory/2076-15-0x000000001B010000-0x000000001B020000-memory.dmp

memory/2076-16-0x000000001B030000-0x000000001B03A000-memory.dmp

memory/2076-17-0x000000001B040000-0x000000001B096000-memory.dmp

memory/2076-18-0x000000001B090000-0x000000001B09C000-memory.dmp

memory/2076-19-0x000000001B0A0000-0x000000001B0A8000-memory.dmp

memory/2076-20-0x000000001B0B0000-0x000000001B0BC000-memory.dmp

memory/2076-21-0x000000001B8D0000-0x000000001B8D8000-memory.dmp

memory/2076-22-0x000000001B8E0000-0x000000001B8F2000-memory.dmp

memory/2076-23-0x000000001BE40000-0x000000001C368000-memory.dmp

memory/2076-24-0x000000001B910000-0x000000001B91C000-memory.dmp

memory/2076-25-0x000000001B920000-0x000000001B92C000-memory.dmp

memory/2076-26-0x000000001B930000-0x000000001B938000-memory.dmp

memory/2076-27-0x000000001B940000-0x000000001B94C000-memory.dmp

memory/2076-28-0x000000001B950000-0x000000001B95C000-memory.dmp

memory/2076-29-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

memory/2076-30-0x000000001BA60000-0x000000001BA6C000-memory.dmp

memory/2076-33-0x000000001BB90000-0x000000001BB98000-memory.dmp

memory/2076-34-0x000000001BBA0000-0x000000001BBAE000-memory.dmp

memory/2076-36-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

memory/2076-35-0x000000001BBB0000-0x000000001BBB8000-memory.dmp

memory/2076-32-0x000000001BA80000-0x000000001BA8E000-memory.dmp

memory/2076-38-0x000000001BBF0000-0x000000001BBFA000-memory.dmp

memory/2076-37-0x000000001BBE0000-0x000000001BBE8000-memory.dmp

memory/2076-31-0x000000001BA70000-0x000000001BA7A000-memory.dmp

memory/2076-39-0x000000001BC00000-0x000000001BC0C000-memory.dmp

C:\Users\Admin\Searches\RuntimeBroker.exe

MD5 49c8ca6dcd8990e9d840ec142959abe8
SHA1 7ff8e014f01f82bab6e239bde43bd60592af90e7
SHA256 dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e
SHA512 59f10d0dd41296d8d5d08ff930ad920ce5c4fe25eeee669ea0225c815f9c06e0487a6fd1f18d373a54aa16f29b37bab9f247961f31d2b2fdf706095a12c82f15

memory/2076-66-0x00007FFFFEA00000-0x00007FFFFF4C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f5dd7910-fec2-47a0-98a1-27785bbad00c.vbs

MD5 19e6b4246b085a8bc57df13e63475394
SHA1 466cd99621722d55d28f04372bcabae3ea0ae79f
SHA256 16a6cc75ce9f0e67795d751e38f83938773ba36aac94502794ee799be0e80f8a
SHA512 6e86fb34b26b5b8231ca9de0f97a09c70ad5561581026387104cf01db5fbd53b7b7d0a123629fb512aac161ae841fa9bd63b992c7b1a6349f7da3d6622338c86

C:\Users\Admin\AppData\Local\Temp\f9feb90e-dc31-4a04-9466-98e598bbaa6c.vbs

MD5 882ffd7fcda87e35aef27337a880f73f
SHA1 4be4cd5d0ea908a765cef5c5a9aecccf92f96135
SHA256 8548dff3f6beb93cd592c2cf6841bc173458db665c8e6a847cf0a35d56d1a93f
SHA512 6e41b5c574f998fc815a31338c1549df2d7202e30be19c9491dcbe82338fd424df3d7842cb390b78d3184aa245088cb4539d115535fffc31223683ee374c79c0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 49b64127208271d8f797256057d0b006
SHA1 b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA256 2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512 f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

memory/3940-79-0x000000001BFF0000-0x000000001C002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6030248d-6274-47be-857e-ccd88748ed69.vbs

MD5 daaa1fb641c358d193b5687f1edb548b
SHA1 e92bcda9a7b342afaff9a0a10f58f9437c0a28f7
SHA256 a7fe3db1ee86d0658655b3dfeaa4c76152f442c19047ac0b957372046825003b
SHA512 a2378c0c43f1715554dd7c12c5ab771afac55cc24131f25fa73d48117b9be118b8af2c66a5d23aac1634d244d78a9dba3376f9e6018d9412242be58e474a11da

C:\Users\Admin\AppData\Local\Temp\32bccad1-6edc-4f70-9faa-2f582254da16.vbs

MD5 bca743c37db654b1a4431c14285faa62
SHA1 6905e5613a74b20b04566b7cec36997f701f0039
SHA256 4ffc23cf7b5bf37cd734095d15f12621519d7f35c5d2cd6ef1075cc5e9781535
SHA512 d3d80831cebe933f028424832f2fc886ee91cc2242e368f86eb9fa61dc61664970326d69f71dd57c500230cdcef832e07d4aea68f2d2b1f27fba7b9571b9949d

memory/2256-102-0x000000001D860000-0x000000001D872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b95a0513-0181-46c0-a370-757d51d2bfe7.vbs

MD5 23100fb36501a5d17f8b8b9d7b24b6bc
SHA1 4b8c8f31e5ab1bf66587d3b299dad822afa2ffc5
SHA256 96e53e282661d31e66268657e0d86d831af7de30038ad6f2bbc76081cad9ba0e
SHA512 e04652eb9d7dd01ad8e37f1c9963de06e06f2429ad3bdeb33879f4ad9ae26d99084961f063ab778b6c1f67d99ec529d880e6eb205fac08ed1c80cccf294109fc

C:\Users\Admin\AppData\Local\Temp\eb707b67-b18e-41a7-afac-c38590c0f904.vbs

MD5 56592a692906382b059414834c14ba78
SHA1 71da47a6617cc956a7fbd34aef247ccaaf8095ae
SHA256 e7b2f3b5c32999b4907edfc01cfa2f5b58a4bd76492d128e919b0eb8785f5d83
SHA512 5232d1a945d5c20ee078a70ea99fc47ea1ddf9d5d869edf8bb076a250f48530d07a4dbc912c6eb48ddd7274681d684d8703f7e1b414a39e8530bfe2e8440bb45

C:\Users\Admin\AppData\Local\Temp\2ade9232-6657-4a2e-a324-ce01f5fb9752.vbs

MD5 1159b40e960b3621ff11757536d447d1
SHA1 7b85856bbe1eb676b260c3830ce7baa438c9c9e1
SHA256 72d9093c19c769145e4dd58f1745796675dda0cf3cdcaa5f08f292ec1fca853b
SHA512 71d1faeb367972584731cdefff1bb916acbb2f4271120bd33e4d904653e42ade5acb9d61b7919fb3943e8a9a0cacce466bb0d003b78e902736a9eae1037703ae

C:\Users\Admin\AppData\Local\Temp\7a5be7ad-c2c7-446f-bd16-bdd216ec9c67.vbs

MD5 2ced54aeef645df86924994bbd60ccbe
SHA1 c6b69f567cd264fa58c37b17c1bd06abbb7b1024
SHA256 42dd1d0c96b580b09484ed67c7eb7ad9152139602d5636f0b1900b9ce7081d18
SHA512 318aed5d82c745713a1888e45dd032f4b4f98671ade5935864060996064fe43ffdabcc18260979f4e31bf92c771fec917ef398d3a32008f368136db814aeb2bb

C:\Users\Admin\AppData\Local\Temp\8b901701-f259-4183-a36d-f337f05fb471.vbs

MD5 af4f440bdb78c435323a69def255a60f
SHA1 6ed005cefd6b9bfc5cdac5c66139efa8b42b2c6c
SHA256 87825289595d61c67f7f716329c8794ac9b39bd85394696bf0450d7bb81f75c2
SHA512 118adc4b742a23269270392d979fd1f76848d61e5fe974e325822857c58aa39f8c387aad890051c9a0e7fa5b514f744e42fdd12e3d0857a822e1feeb89dfec1a

C:\Users\Admin\AppData\Local\Temp\625a3a3e-5cdd-45c5-a684-8bb5941154c9.vbs

MD5 3a3885f7d3dedaabf6687fc4c4e8e3a0
SHA1 6591095a2b4958c6baeb77863f0514b8c76885ca
SHA256 2d43012200b9e3a902567d54820f2116e14701397f6adffe1540d64501254099
SHA512 3a5160f8d45060bf8b37277193b37abdbc6b3a1e36c8d8b350607c5d2ebeb1a75edd716e50c50265bcf250e387afae50b3f0da66277eebfeba68f0b655902cfc

C:\Users\Admin\AppData\Local\Temp\cac6afda-0919-45e8-af39-60dc1597cf0c.vbs

MD5 2ccec9345099ee561817a7fb74dc88ee
SHA1 2ca3e2234e17e984d71bacad37934da1699b2c1b
SHA256 6b5e8990367d4712909b29444108cba7a12ebc3a0874f1766d0f04663aab9dc3
SHA512 c8e212dfa2f5c555ae0eb946d3f32fa099a1eaf9c8cc48104f1d1ef472a54abe5b7fa25bfcf114afa5e7181aca0047bd631b9572a1729babac53704b8eee2a9d

memory/2132-180-0x000000001D7D0000-0x000000001D7E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bf837947-1958-486c-b23c-56d782063315.vbs

MD5 7d4c0065053ae816a3f412b9c78778f5
SHA1 3b345ce7a342363eecb15e097403b746ff3fd8f8
SHA256 6bb1db851e1517af38a268f34edb68cb010e7725458397a7ffe93b719be678e2
SHA512 d9285b64729ad1b6176f838567c2340cbde0f1e8ca274b2a54a7da4b8e32b4dc7c17fea1b864015e66ffddb95cec0cfa8a65587279a2a068e5cf4d6b7e7e1968

C:\Users\Admin\AppData\Local\Temp\15f12017-7981-4ab2-b993-c42cbb3bdefb.vbs

MD5 5a6de4cd39c851ee94d37e0717db3dea
SHA1 80bd8c6277677c4f1710492eb360db65293d3c6c
SHA256 34114b025e8eac9f332da337bc2d78428204e6147ec0dce3bfc4b0fef3dc6e96
SHA512 21b738d0d271ae5fb2c810a4e3fdfc09d847727e49ce3a7cf36b13fca45cd75871a80be962c1b5c781eb048fa6d376e7bd2fd1fe5d2b35c755bb5ceee5173e91

C:\Users\Admin\AppData\Local\Temp\66f310c2-803f-40a7-8e33-bcafdd5f4e0a.vbs

MD5 2323d8612e803d86f91409c410a1e15b
SHA1 a8dee88b6596944777347f703f64976a307c236b
SHA256 94790e2c5738462425e361d950fb3f2cd19447122a43ce8a8edd8b674caab63e
SHA512 95c16aac6833b34c02389c872a008edab2ca38071d966934ebd19bcbe5353eafa4f6b019453bef89e1c9e94375a7812cf176d0ecd7f79a56e90b1a74c72e1eb0

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 01:23

Reported

2024-06-17 01:26

Platform

win7-20240611-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Migration\WTR\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Migration\WTR\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Migration\WTR\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Migration\WTR\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Migration\WTR\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Migration\WTR\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Migration\WTR\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\ja-JP\services.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\ja-JP\services.exe C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\ja-JP\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
N/A N/A C:\Windows\Migration\WTR\sppsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Migration\WTR\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Migration\WTR\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 1688 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 1688 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 1688 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 1688 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 1164 wrote to memory of 308 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1164 wrote to memory of 308 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1164 wrote to memory of 308 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1164 wrote to memory of 940 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1164 wrote to memory of 940 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1164 wrote to memory of 940 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 308 wrote to memory of 860 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 308 wrote to memory of 860 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 308 wrote to memory of 860 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 308 wrote to memory of 860 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 308 wrote to memory of 860 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 860 wrote to memory of 236 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 860 wrote to memory of 236 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 860 wrote to memory of 236 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 860 wrote to memory of 336 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 860 wrote to memory of 336 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 860 wrote to memory of 336 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 236 wrote to memory of 1928 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 236 wrote to memory of 1928 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 236 wrote to memory of 1928 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 236 wrote to memory of 1928 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 236 wrote to memory of 1928 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 1928 wrote to memory of 884 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1928 wrote to memory of 884 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1928 wrote to memory of 884 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1928 wrote to memory of 1604 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1928 wrote to memory of 1604 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1928 wrote to memory of 1604 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 884 wrote to memory of 2824 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 884 wrote to memory of 2824 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 884 wrote to memory of 2824 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 884 wrote to memory of 2824 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 884 wrote to memory of 2824 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 2824 wrote to memory of 2416 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2824 wrote to memory of 2416 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2824 wrote to memory of 2416 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2824 wrote to memory of 2536 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2824 wrote to memory of 2536 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2824 wrote to memory of 2536 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2416 wrote to memory of 1660 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 2416 wrote to memory of 1660 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 2416 wrote to memory of 1660 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 2416 wrote to memory of 1660 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 2416 wrote to memory of 1660 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 1660 wrote to memory of 2260 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1660 wrote to memory of 2260 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1660 wrote to memory of 2260 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1660 wrote to memory of 936 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1660 wrote to memory of 936 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1660 wrote to memory of 936 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2260 wrote to memory of 1488 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 2260 wrote to memory of 1488 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 2260 wrote to memory of 1488 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 2260 wrote to memory of 1488 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 2260 wrote to memory of 1488 N/A C:\Windows\System32\WScript.exe C:\Windows\Migration\WTR\sppsvc.exe
PID 1488 wrote to memory of 2088 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1488 wrote to memory of 2088 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1488 wrote to memory of 2088 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1488 wrote to memory of 2316 N/A C:\Windows\Migration\WTR\sppsvc.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Migration\WTR\sppsvc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe

"C:\Users\Admin\AppData\Local\Temp\dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f

C:\Windows\Migration\WTR\sppsvc.exe

"C:\Windows\Migration\WTR\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9aa376a8-f62b-4d9c-b6e8-ce18ff13eff2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa902151-af1c-40aa-99e5-27884010fcfa.vbs"

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\834ea942-c94a-4339-9194-1996b1637afd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0efbdd5d-4081-4a15-ae4d-22d0a6a9491d.vbs"

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c873ca4-cd2f-44c7-807e-480e7df54a6f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af69dae0-63a7-42ec-8881-554538d2680e.vbs"

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\333dbb62-3bf9-4386-866b-b258fff209d6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\955de1c5-a510-4598-b411-1e9da4f297c5.vbs"

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b26ee39-038c-4579-930a-3e0e64c8feb7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cca95526-6310-41f7-a431-0428a7df3c2d.vbs"

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88006fa1-6865-4890-af6d-0aba28078d98.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b294afe-af31-42c7-856e-bb95c755f5d2.vbs"

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2644cc7-739e-413a-91c9-fc66742a065f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2dab25c-6e45-46fd-8f89-31519b7e8dc4.vbs"

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c8184de-7c54-4e9c-89a1-73db8a73db61.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3610e6ff-088c-4063-8342-60106a8d898e.vbs"

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a28078d8-66c2-480d-939a-af22addf3d21.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec995442-b533-4168-94b8-3e310d19f3b1.vbs"

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1c48bde-034e-47f3-88ea-57c473faf37f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\735d2073-3bb1-47e7-8cde-754929346baf.vbs"

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63669626-2bc1-4dff-8922-ca194afc24b5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc7d3d4a-82d1-4478-9577-a5dc5fa1960d.vbs"

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcb29992-ecf2-46cd-891a-a3572680c890.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d650ff57-2cbe-4c8f-8eb1-7dec781f1444.vbs"

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\Migration\WTR\sppsvc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeb4ec00-b0cd-4f09-b6dd-eb97608ab5ba.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\399b837e-b7ba-4452-90a2-8eaee415f821.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0993445.xsph.ru udp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp
RU 141.8.192.93:80 a0993445.xsph.ru tcp

Files

memory/1688-0-0x000007FEF6023000-0x000007FEF6024000-memory.dmp

memory/1688-1-0x0000000001250000-0x00000000015BA000-memory.dmp

memory/1688-2-0x000007FEF6020000-0x000007FEF6A0C000-memory.dmp

memory/1688-3-0x0000000000600000-0x000000000060E000-memory.dmp

memory/1688-4-0x0000000000610000-0x000000000061E000-memory.dmp

memory/1688-5-0x0000000000230000-0x0000000000238000-memory.dmp

memory/1688-8-0x0000000000620000-0x0000000000630000-memory.dmp

memory/1688-11-0x00000000007F0000-0x0000000000802000-memory.dmp

memory/1688-12-0x0000000000810000-0x000000000081C000-memory.dmp

memory/1688-10-0x0000000000650000-0x0000000000658000-memory.dmp

memory/1688-9-0x0000000000630000-0x0000000000646000-memory.dmp

memory/1688-14-0x0000000000800000-0x0000000000810000-memory.dmp

memory/1688-15-0x0000000000820000-0x000000000082A000-memory.dmp

memory/1688-13-0x00000000007E0000-0x00000000007E8000-memory.dmp

memory/1688-7-0x0000000000260000-0x0000000000268000-memory.dmp

memory/1688-16-0x0000000000D30000-0x0000000000D86000-memory.dmp

memory/1688-6-0x0000000000240000-0x000000000025C000-memory.dmp

memory/1688-17-0x0000000000830000-0x000000000083C000-memory.dmp

memory/1688-19-0x0000000000C90000-0x0000000000C9C000-memory.dmp

memory/1688-21-0x0000000000D80000-0x0000000000D92000-memory.dmp

memory/1688-20-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

memory/1688-18-0x0000000000840000-0x0000000000848000-memory.dmp

memory/1688-22-0x0000000000DB0000-0x0000000000DBC000-memory.dmp

memory/1688-25-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

memory/1688-26-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

memory/1688-24-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

memory/1688-23-0x0000000000DC0000-0x0000000000DCC000-memory.dmp

memory/1688-28-0x0000000000E90000-0x0000000000E9C000-memory.dmp

memory/1688-32-0x0000000000FD0000-0x0000000000FDE000-memory.dmp

memory/1688-35-0x00000000011E0000-0x00000000011E8000-memory.dmp

memory/1688-36-0x00000000011F0000-0x00000000011FA000-memory.dmp

memory/1688-37-0x0000000001200000-0x000000000120C000-memory.dmp

memory/1688-34-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

memory/1688-33-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

memory/1688-31-0x0000000000FC0000-0x0000000000FC8000-memory.dmp

memory/1688-30-0x0000000000FB0000-0x0000000000FBE000-memory.dmp

memory/1688-29-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

memory/1688-27-0x0000000000E80000-0x0000000000E88000-memory.dmp

C:\Windows\Migration\WTR\sppsvc.exe

MD5 49c8ca6dcd8990e9d840ec142959abe8
SHA1 7ff8e014f01f82bab6e239bde43bd60592af90e7
SHA256 dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e
SHA512 59f10d0dd41296d8d5d08ff930ad920ce5c4fe25eeee669ea0225c815f9c06e0487a6fd1f18d373a54aa16f29b37bab9f247961f31d2b2fdf706095a12c82f15

memory/1164-50-0x0000000001040000-0x00000000013AA000-memory.dmp

memory/1688-51-0x000007FEF6020000-0x000007FEF6A0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fa902151-af1c-40aa-99e5-27884010fcfa.vbs

MD5 d59c497b12e82d1a769e7980b9b918b6
SHA1 7df5310e82725b04d2b8a4597c152d091bf71471
SHA256 02221eb064b80f6473e5c048a3d285f50f62dfd274ebb84a5f3a7fd7149d98ab
SHA512 6d478e392bb5d6b1595f908b345a85fa90036068195129711442588e3a84f2158b722c940f272dd200c68abb97d165580d429600f0335ee99aa9f18e929c53af

C:\Users\Admin\AppData\Local\Temp\9aa376a8-f62b-4d9c-b6e8-ce18ff13eff2.vbs

MD5 4fa58fd89ec304cff88b6ec82ae7e72d
SHA1 8a3bea0f9a0cf91af69cca60642a1511407e1487
SHA256 028c31451561088381776813195c916f71f8d8afaebac5004359964790418e3c
SHA512 e49b8d359bf05c97748a4332771f8e0cd76367e3f3c8b7a19de1b1ee2d0382be2b09858309d90949e2f1f7b3e41693afc941ec438175a41efb45cd93d3562d5a

memory/860-62-0x00000000011C0000-0x000000000152A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\834ea942-c94a-4339-9194-1996b1637afd.vbs

MD5 4fa5b2f101fdff63733fe03cc0c48a71
SHA1 e4cc957d1e7f950d32ac3bbfa30aee0e8b4a5441
SHA256 28b53596e93598a499e0e3c542204a3243d565916143ddcdfa7006547906d040
SHA512 d92fb44e4733d1392c278c0528575962cfd24597f51fc3758d4f3e198eced6c789b4dff3b360742148afe67833b74fa0a332f190a147ddc0301a25b0b854e467

memory/1928-74-0x0000000000DA0000-0x0000000000DB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5c873ca4-cd2f-44c7-807e-480e7df54a6f.vbs

MD5 96b7849fcdc86e842f1fdf719c735b5b
SHA1 cc52c3ca00d087e015b1291065abaa34589de8ad
SHA256 5ffb5b8353610d895e206ea6dcc6d6d8583ac81ff0c521ff1e6f6a5bcba63be3
SHA512 d854ef52f46c33d508fc4b9280cc17d3e22fb870e906696088ae211022861678972d7e6b2960365fb0b93aab1f133a2537f354d0eeb2473950d7acb50c85c438

C:\Users\Admin\AppData\Local\Temp\333dbb62-3bf9-4386-866b-b258fff209d6.vbs

MD5 560f6eaaa36bd2b54ec8ac4250af6db0
SHA1 04b5918bd05cc440cf0738a782086f63348279aa
SHA256 4857acb480deea195f797fb0ddbec84a56c1ae1baf24413ad838ea03ebab509f
SHA512 07823f4f745c19fed57ed81ce92bbbed5ff342834f93493416ce45b86595fa229d875dfce0b0f8c03028af24494650cd06aed8e10eebeaa3f123ac9f14b0daf1

C:\Users\Admin\AppData\Local\Temp\3b26ee39-038c-4579-930a-3e0e64c8feb7.vbs

MD5 c0d1c5772bdc81914e98258cba747c8b
SHA1 81829063f5512b0f9448ecf879972592ead9e503
SHA256 b2afac152e615562a5e85e0b44f8c0ce3d78da57d89671cf43974f9be2ee70b8
SHA512 b82f4a40846be3a64639f8986068d4dbe2eb56161cd75896ecc47eb045e5a1f9791d8e36164a0cfa9f506188e892dd61502682a6b6a743a0930e57077471cc3a

memory/1488-108-0x0000000000480000-0x0000000000492000-memory.dmp

memory/1488-109-0x0000000000B80000-0x0000000000B92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\88006fa1-6865-4890-af6d-0aba28078d98.vbs

MD5 f97c1188213c62dc38f9ca5a226df57a
SHA1 0b8a0ed519128716e02246aa58a72648fd0a594e
SHA256 a12a03b9a0ff9c0828ebcc19c51b6f107d1e1f0acb34817e9fa8b378119bb1a9
SHA512 c35b7ba101a1651fc3ad0525e809d8042190e06ab0372d265040de42461e21c74d438309a3dc13c17aaaa99c9ea3ca350a73310327984286507d18a6374941a6

C:\Users\Admin\AppData\Local\Temp\c2644cc7-739e-413a-91c9-fc66742a065f.vbs

MD5 afabcc305bb23de77fbfc1961bd0f533
SHA1 8de2ba00d6f83ab937b3bf9f06a96dd545311549
SHA256 9009d45d8711843334c65f8f2203a81b49f80b3109923c20efef8a4c7fb5105d
SHA512 afa67f111ff806fc4348ba62755ed41bf174f0e42e9d453f610f8a1b2eb48a6c53c5fbe409151c278229747f0b8f3482fe8257e42411fa6bf21d64fd5e4d9db9

memory/2980-132-0x0000000000170000-0x00000000004DA000-memory.dmp

memory/2980-133-0x0000000000850000-0x00000000008A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2c8184de-7c54-4e9c-89a1-73db8a73db61.vbs

MD5 1bd5c09ae4067f7894f64adbe6c0f2f0
SHA1 fad342b2b6bf5b8db225da061cce50115299cb18
SHA256 2a5948c6af96f08c4b97e7c9de8279bbef3514a964695d4e5025a2623dd91cfe
SHA512 9e734300ebd59573d268c6004036020aee034a6cef6f5fc028da17af9508c175cebb44e5c2a65d234ec9be4b82a82aafcddeef0816cebeb758911dabc2cf3779

memory/2476-145-0x00000000012C0000-0x000000000162A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a28078d8-66c2-480d-939a-af22addf3d21.vbs

MD5 1b0a8e677a95c37cc07ab3ff357fa096
SHA1 15cb2e385e6899688bbfe8f4787e563ef92e3a54
SHA256 888871ca29e95f023c6e3dc6784d55e86ef6b61e1e0dca58537480c8d506b92d
SHA512 0727a8f6dc9086fe0306882747ecc08470afad405ddd3f1bfc9b896cdf1da5680b9ef2c65d717f53335e36e93a1f4f7bdd8a47a2602ce45d7341cba0a8633dad

memory/2172-157-0x0000000000700000-0x0000000000712000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d1c48bde-034e-47f3-88ea-57c473faf37f.vbs

MD5 42f6775a2be4dc9c6ec3b8e05af32ffa
SHA1 3b36c949caaa64a69333ac22e8aec0270bb594d4
SHA256 48c8d0e1c0ab347976ed3b6f0c6f5d8fdfab5c5ebfe3b11c1b5d054c62e98be3
SHA512 7045ddde16f88d2b318fa5d1fcb26aad2739e050e8fc5476602378b017e23916dc7063fd71746bc21742e075d51bb2c73cb5125fc8d25db0d1f005e317e1b75d

memory/1808-169-0x0000000000320000-0x000000000068A000-memory.dmp

memory/1808-170-0x0000000000800000-0x0000000000812000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\63669626-2bc1-4dff-8922-ca194afc24b5.vbs

MD5 35ea6417e0f9c7981b103fd32a36c311
SHA1 af2604b9509fb5f31e4398fde2d0c46c62f6057b
SHA256 428ed0cdd86667a7cd4b278550a8c43f646279e5a5fb74e9b78156c5314bacfc
SHA512 9b7d65bb1c5b6eb834c3d18dc56beda45dfe8990f5afeef505148a9faa95a8562359851768ae8b822e2eceb4457133fb30400309b6c1d076cd2129a5dc27b3a4

memory/1948-182-0x0000000000300000-0x000000000066A000-memory.dmp

memory/1948-183-0x00000000007F0000-0x0000000000802000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bcb29992-ecf2-46cd-891a-a3572680c890.vbs

MD5 5110f010fa11375b7dc37092498e58cb
SHA1 80703de078a8f4e75c7b3070d73d01ccd520516e
SHA256 546397da568eaa8216ef75d378b886e7de44194c6100bd987934aece2b48f6c1
SHA512 e4ddfd9bf7123c33603e9e30ef9ea14c024841ccb613e378ec713baef1ed601fe2138c61f1940eab56a24cc8f76a86f5d5e378d4bf26d350acb61dd44af56692

memory/1912-195-0x00000000012E0000-0x000000000164A000-memory.dmp

memory/1912-196-0x000000001AB80000-0x000000001AB92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aeb4ec00-b0cd-4f09-b6dd-eb97608ab5ba.vbs

MD5 72e1e254dfc5f1a0707b79d688279c81
SHA1 729c397e12eab48e99b89a9c8a6820f5ffd0d886
SHA256 4c02d8a951b55927bce561e14cef5812b1d1195b88a4dd93d0c48a8054858cdf
SHA512 b1063303ff6b92d751730f6f000210c1ecf9a96b67f4cb39530040f599efc874613f49cf582b3eb5d458524a859273b5a1b0e77a72612999577b1007a497058d