Malware Analysis Report

2024-10-10 13:00

Sample ID 240617-hfr2aasfqq
Target 20ba93789eb7001ba9e4842bcc69fe62.exe
SHA256 5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db
Tags
dcrat evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db

Threat Level: Known bad

The file 20ba93789eb7001ba9e4842bcc69fe62.exe was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer persistence rat trojan

DcRat

DCRat payload

Dcrat family

UAC bypass

Modifies WinLogon for persistence

Process spawned unexpected child process

DCRat payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

System policy modification

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 06:41

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 06:41

Reported

2024-06-17 06:43

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\TAPI\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\es-ES\\System.exe\", \"C:\\Users\\Default\\Desktop\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\TAPI\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\es-ES\\System.exe\", \"C:\\Users\\Default\\Desktop\\RuntimeBroker.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\TAPI\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\es-ES\\System.exe\", \"C:\\Users\\Default\\Desktop\\RuntimeBroker.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\TAPI\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\es-ES\\System.exe\", \"C:\\Users\\Default\\Desktop\\RuntimeBroker.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Java\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\TAPI\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\es-ES\\System.exe\", \"C:\\Users\\Default\\Desktop\\RuntimeBroker.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Java\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\TAPI\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\TAPI\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\TAPI\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\es-ES\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Java\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Mail\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\Desktop\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\Desktop\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\TAPI\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\es-ES\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Java\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\TAPI\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\es-ES\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Program Files\Java\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\TAPI\lsass.exe C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File opened for modification C:\Windows\TAPI\lsass.exe C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Windows\TAPI\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Windows\es-ES\System.exe C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Windows\es-ES\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Windows\rescache\_merged\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5008 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 5008 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 5096 wrote to memory of 4952 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5096 wrote to memory of 4952 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5096 wrote to memory of 1252 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5096 wrote to memory of 1252 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4952 wrote to memory of 1064 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 4952 wrote to memory of 1064 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 1064 wrote to memory of 2364 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1064 wrote to memory of 2364 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1064 wrote to memory of 1284 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1064 wrote to memory of 1284 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2364 wrote to memory of 3780 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 2364 wrote to memory of 3780 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 3780 wrote to memory of 3760 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3780 wrote to memory of 3760 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3780 wrote to memory of 1560 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3780 wrote to memory of 1560 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3760 wrote to memory of 4572 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 3760 wrote to memory of 4572 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 4572 wrote to memory of 2928 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4572 wrote to memory of 2928 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4572 wrote to memory of 3236 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4572 wrote to memory of 3236 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2928 wrote to memory of 4472 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 2928 wrote to memory of 4472 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 4472 wrote to memory of 2564 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4472 wrote to memory of 2564 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4472 wrote to memory of 4976 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4472 wrote to memory of 4976 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2564 wrote to memory of 1340 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 2564 wrote to memory of 1340 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 1340 wrote to memory of 4604 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1340 wrote to memory of 4604 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1340 wrote to memory of 4124 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1340 wrote to memory of 4124 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4604 wrote to memory of 2960 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 4604 wrote to memory of 2960 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 2960 wrote to memory of 2588 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2960 wrote to memory of 2588 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2960 wrote to memory of 1768 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2960 wrote to memory of 1768 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2588 wrote to memory of 3352 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 2588 wrote to memory of 3352 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 3352 wrote to memory of 4560 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3352 wrote to memory of 4560 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3352 wrote to memory of 1860 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3352 wrote to memory of 1860 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4560 wrote to memory of 2184 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 4560 wrote to memory of 2184 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 2184 wrote to memory of 4832 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2184 wrote to memory of 4832 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2184 wrote to memory of 1108 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2184 wrote to memory of 1108 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4832 wrote to memory of 4376 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 4832 wrote to memory of 4376 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe
PID 4376 wrote to memory of 464 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4376 wrote to memory of 464 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4376 wrote to memory of 3708 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4376 wrote to memory of 3708 N/A C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe

"C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\TAPI\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\es-ES\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Java\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cf2d0e4-a802-4843-bced-c6d0967789f1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87910a92-e12f-4fad-8314-a69460793140.vbs"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3888,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:8

C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9303248d-6919-4ec9-a9ba-62880a3f6e0d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bdaa9ab-59a1-4048-ad7d-c89fc10092ce.vbs"

C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b22107e5-084f-456a-a6c7-56ece33e1d4a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1e79527-35c1-451f-863f-ec6c3bb319ac.vbs"

C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16efaab9-2b8b-4714-b31b-17bc9459a110.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66c09795-b5f2-497d-b8d2-5f4185fe5718.vbs"

C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\687110eb-ba75-496c-a07e-23254dba994c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26d6e842-1a08-4799-9b08-002009b87fe3.vbs"

C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cda05c3-e8d9-48da-b2eb-7bb3711ea175.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\047c98c4-3d3d-491e-9d0f-f99d4148acde.vbs"

C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd4652a3-eb17-44be-b016-7d44d199a16b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1146762-b4e1-43ba-8266-bb296b310ae9.vbs"

C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b8e0d0b-bf06-47cd-a8eb-8e399325bcb6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e3d40aa-9208-46e8-be0c-8876f695605d.vbs"

C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29fb24ca-96f4-4152-bae1-a417b0742181.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72bae0f5-f235-48b5-9f9c-2a5a1b86d364.vbs"

C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9538f187-25df-4e2c-b22c-fd7a45a47fb6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\932df7b6-3cd5-42f1-a2c0-871ffb529679.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp

Files

memory/5008-0-0x00007FFE86713000-0x00007FFE86715000-memory.dmp

memory/5008-1-0x0000000000DB0000-0x000000000110A000-memory.dmp

memory/5008-2-0x00007FFE86710000-0x00007FFE871D1000-memory.dmp

memory/5008-3-0x00000000019D0000-0x00000000019DE000-memory.dmp

memory/5008-4-0x000000001BD10000-0x000000001BD18000-memory.dmp

memory/5008-5-0x000000001BD20000-0x000000001BD3C000-memory.dmp

memory/5008-6-0x000000001C3D0000-0x000000001C420000-memory.dmp

memory/5008-8-0x000000001BD60000-0x000000001BD70000-memory.dmp

memory/5008-9-0x000000001C380000-0x000000001C396000-memory.dmp

memory/5008-10-0x000000001C3A0000-0x000000001C3A8000-memory.dmp

memory/5008-7-0x000000001BD40000-0x000000001BD48000-memory.dmp

memory/5008-11-0x000000001C3B0000-0x000000001C3C2000-memory.dmp

memory/5008-12-0x000000001C530000-0x000000001C53C000-memory.dmp

memory/5008-14-0x000000001C520000-0x000000001C530000-memory.dmp

memory/5008-13-0x000000001C3C0000-0x000000001C3C8000-memory.dmp

memory/5008-15-0x000000001C540000-0x000000001C54A000-memory.dmp

memory/5008-16-0x000000001C550000-0x000000001C5A6000-memory.dmp

memory/5008-17-0x000000001C5A0000-0x000000001C5AC000-memory.dmp

memory/5008-18-0x000000001C5B0000-0x000000001C5B8000-memory.dmp

memory/5008-19-0x000000001C5C0000-0x000000001C5CC000-memory.dmp

memory/5008-20-0x000000001C5D0000-0x000000001C5D8000-memory.dmp

memory/5008-21-0x000000001C5E0000-0x000000001C5F2000-memory.dmp

memory/5008-22-0x000000001CB40000-0x000000001D068000-memory.dmp

memory/5008-23-0x000000001C610000-0x000000001C61C000-memory.dmp

memory/5008-25-0x000000001C630000-0x000000001C638000-memory.dmp

memory/5008-24-0x000000001C620000-0x000000001C62C000-memory.dmp

memory/5008-26-0x000000001C640000-0x000000001C64C000-memory.dmp

memory/5008-27-0x000000001C650000-0x000000001C65C000-memory.dmp

memory/5008-28-0x000000001C8D0000-0x000000001C8D8000-memory.dmp

memory/5008-29-0x000000001C760000-0x000000001C76C000-memory.dmp

memory/5008-31-0x000000001C780000-0x000000001C78E000-memory.dmp

memory/5008-30-0x000000001C770000-0x000000001C77A000-memory.dmp

memory/5008-33-0x000000001C8A0000-0x000000001C8AE000-memory.dmp

memory/5008-35-0x000000001C8C0000-0x000000001C8CC000-memory.dmp

memory/5008-34-0x000000001C8B0000-0x000000001C8B8000-memory.dmp

memory/5008-32-0x000000001C890000-0x000000001C898000-memory.dmp

memory/5008-38-0x000000001C8F0000-0x000000001C8FC000-memory.dmp

memory/5008-37-0x000000001C9F0000-0x000000001C9FA000-memory.dmp

memory/5008-36-0x000000001C8E0000-0x000000001C8E8000-memory.dmp

C:\Users\Default\AppData\Roaming\Microsoft\csrss.exe

MD5 20ba93789eb7001ba9e4842bcc69fe62
SHA1 4f2de529f2094f978d35cfb040cbd6e7c6274f98
SHA256 5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db
SHA512 327f2a7900f9900a6fb6f86f46efb8936b0327142f8e7120cd9d3db7b87b762c2288971b48ffe8fd3ec2e751f492652fb87da8197becf9b30e59b3d9247934b1

memory/5008-66-0x00007FFE86710000-0x00007FFE871D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2cf2d0e4-a802-4843-bced-c6d0967789f1.vbs

MD5 e545ee991d9db3e36242df770f945e49
SHA1 5abf9010af679f8e90ccfc28da1cc8247a5fee09
SHA256 14cfc210359dd5c2bde7b5d09d784f8e96dd83b2c5227fcfb51ea5ec76c72fb9
SHA512 14da41720e96f0a404a0f21010dfb46d761e0a577f6f6641249d6ff2e2be71ef062934c6d395dbb644db421c73e1dbb6e0a13ac0dd1eb1334ada16e5aa311a59

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

memory/1064-78-0x000000001CFF0000-0x000000001D002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1bdaa9ab-59a1-4048-ad7d-c89fc10092ce.vbs

MD5 462569550da80512c66565393871754f
SHA1 0833e9f9a71e0b15302f8de4a1a45971f1b7626f
SHA256 a1c74bb2081c468cee3d7c10939136856c925537fa8eabd5ee0550a24bb23099
SHA512 f1d2570b9e70757ca608be48a8c816b66d430eaf89ce5256412fbfc8c1a7098069c38b2930f8ab8a405e312f23839ac005c2474b52a60d34ca0eb7137f74bd3d

C:\Users\Admin\AppData\Local\Temp\9303248d-6919-4ec9-a9ba-62880a3f6e0d.vbs

MD5 e3e699fdf04ee3787ba0dcda51f27374
SHA1 590ec6fe53748ac2b456564c0bd6c049befa03e7
SHA256 3a0345a5136e6db715be23e892b68660f42c80c7e954d208bdb840545e6a86b8
SHA512 cb7b2536a5f4b7f14bcf563a2d11bcb04d9732f0d419bb46f2f2ff7176211136d0612a155afdccead65d8f1773236e5e307f4dc8cfdf62cefcae7d51436add3d

memory/3780-90-0x000000001C920000-0x000000001C932000-memory.dmp

memory/3780-91-0x000000001C9F0000-0x000000001CA02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b22107e5-084f-456a-a6c7-56ece33e1d4a.vbs

MD5 d064bd953383e9bb4a331a6bc4583609
SHA1 8e66dee31d310882cb529e87075d8b48724f9805
SHA256 2c3bbd1fd99b15a787e06d56344b393ccb06a84b10e103272fde37f085500309
SHA512 f73e6759ceef27e12e918e305a79ba5c2f407c9a38ec5df62f3272ab41eeca809d0a85ace7abe5fae1df084f40aa619594fc231bc496baf62eef2bc454ea815c

C:\Users\Admin\AppData\Local\Temp\16efaab9-2b8b-4714-b31b-17bc9459a110.vbs

MD5 cbb7a88d814c212902ef23a3f878be70
SHA1 2fc3c1c2a1ed70cf109619087e8cef40a30e7612
SHA256 b7bc0be370f8ffe6bb2f930230ec8a50c5b2a35bab11948da8bc6a3249116745
SHA512 72d27663da95ef6f324977353ad27132a24c6c722d029477bf0a14cea12a2065511640203d47485ea3c92d386b4c9bc96dc3f3eb91094c3761c0d6d4a077da76

memory/4472-114-0x000000001D610000-0x000000001D622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\687110eb-ba75-496c-a07e-23254dba994c.vbs

MD5 ebef2f8efc5d923353a826313ef9af07
SHA1 4ee5282b38752898d9982841b0823ebe1f807de5
SHA256 6970a249f6479cccbe46712a7f9724ec9aad1ddea28dbdcaba7007f8827db614
SHA512 f719963196917732e55174bc0faa84c2821d71dc5860c07ab15617388842cd256c83b5499ea13c15b939e3b52bb24800bd92a58954b6d37e48463b85dc6e86a0

C:\Users\Admin\AppData\Local\Temp\7cda05c3-e8d9-48da-b2eb-7bb3711ea175.vbs

MD5 8b542a86cb1c909cdc4b3bbe7b175130
SHA1 4d3ced54ed7fe796e80a45362ca255443ead0032
SHA256 e7b65bc727d8b6e517b9761daad2660300274848a1ecbb97608b137d8d70668e
SHA512 8afb56e65870664908e267555dbc2ea4d3393b44b7c04ec531944b875d04162d4b018f64115bbf438773a96eebebfe7ab2155148b0d4b242cd0a604d4abe8370

memory/2960-137-0x000000001CDD0000-0x000000001CDE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fd4652a3-eb17-44be-b016-7d44d199a16b.vbs

MD5 9e90b521efe010e11de7f8c2d5311c9b
SHA1 b292aacf97ce433baa1da72be6232781ab80215e
SHA256 35f8b4002c3d04d2e4067cb54b0652f1275b182cd6c433771055451cb9109ae2
SHA512 57d82a5a45c0c7c7cc7ab22b1a176c007fb0a46b4a94145ef12124fd73d5059312a52c0611d5a62f8a3ad5c3cbb92dc4a429a72fba93836b11592b1c8b673ef9

C:\Users\Admin\AppData\Local\Temp\9b8e0d0b-bf06-47cd-a8eb-8e399325bcb6.vbs

MD5 f85492157bbce9d364a855e01179a82e
SHA1 ebf414cac2f4924f63b49e28a4236a3b888ec1e5
SHA256 e1675c782daced5c46328319af9f00d3194edfeaa8ce215f7102a5e49ddf9e2e
SHA512 2cac6c0c578ce75aaefe8282fa9505bdb9891e700975f5e38f5df2f25f143c612de9e82dbdc1493a08b5bda7364a20eb8b785faf04bd8e8b21795c203d79d807

C:\Users\Admin\AppData\Local\Temp\29fb24ca-96f4-4152-bae1-a417b0742181.vbs

MD5 b81bf6a795ec2005f25b7cb51fd99df1
SHA1 51260b79ad65d9c9523aebad6e66849e0fc7be7d
SHA256 243f4e61dd771e4045b4b0b2931db19ab0b739091cb7aa22f8c327200e596b03
SHA512 aa3185f53106c041da31d90842f14225f38cae2aa5f3345e34257adf6025fbc3c649796b9dbb55c7ae1aa53a49ce13edc502d49f32a70c262861ff0ddb2614b2

memory/4376-171-0x000000001BDF0000-0x000000001BE02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9538f187-25df-4e2c-b22c-fd7a45a47fb6.vbs

MD5 74d46872295e60af3651f4613ab86879
SHA1 6b697276404d900abbb00b8e4b630d183fc79024
SHA256 7513eb56c6b54129155c5409017cdd3a1aca865ecd7dce120d7668cdd2caadf4
SHA512 7de0bb15abd0307901aadaf2f155482277413156f314cd0656a3cd7117abc12f53e93a3e25a4f38fff2ddd7ea9fa4833a7370663c163bd83729228ddb0652e2c

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 06:41

Reported

2024-06-17 06:43

Platform

win7-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Windows\\ModemLogs\\audiodg.exe\", \"C:\\Program Files\\7-Zip\\Lang\\lsm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Windows\\ModemLogs\\audiodg.exe\", \"C:\\Program Files\\7-Zip\\Lang\\lsm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Windows\\ModemLogs\\audiodg.exe\", \"C:\\Program Files\\7-Zip\\Lang\\lsm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Windows\\ModemLogs\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Windows\\ModemLogs\\audiodg.exe\", \"C:\\Program Files\\7-Zip\\Lang\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Windows\\ModemLogs\\audiodg.exe\", \"C:\\Program Files\\7-Zip\\Lang\\lsm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\", \"C:\\Windows\\Cursors\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Windows\\ModemLogs\\audiodg.exe\", \"C:\\Program Files\\7-Zip\\Lang\\lsm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\explorer.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Windows\\ModemLogs\\audiodg.exe\", \"C:\\Program Files\\7-Zip\\Lang\\lsm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\explorer.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\csrss.exe\", \"C:\\Windows\\Logs\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Windows\\ModemLogs\\audiodg.exe\", \"C:\\Program Files\\7-Zip\\Lang\\lsm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\explorer.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\csrss.exe\", \"C:\\Windows\\Logs\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\", \"C:\\Windows\\ModemLogs\\audiodg.exe\", \"C:\\Program Files\\7-Zip\\Lang\\lsm.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\", \"C:\\Windows\\Cursors\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\explorer.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\csrss.exe\", \"C:\\Windows\\Logs\\csrss.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\csrss.exe\", \"C:\\Windows\\fr-FR\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\7-Zip\\Lang\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Cursors\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Logs\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Cursors\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Logs\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\fr-FR\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\fr-FR\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\ModemLogs\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\ModemLogs\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\7-Zip\\Lang\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Defender\\en-US\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Reader 9.0\explorer.exe C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Program Files\7-Zip\Lang\lsm.exe C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Program Files\7-Zip\Lang\101b941d020240 C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Program Files\Windows Defender\en-US\audiodg.exe C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Program Files\Windows Defender\en-US\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\fr-FR\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Windows\ModemLogs\audiodg.exe C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Windows\ModemLogs\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Windows\Cursors\Idle.exe C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Windows\Cursors\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Windows\Logs\csrss.exe C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Windows\Logs\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
File created C:\Windows\fr-FR\explorer.exe C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
PID 2116 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
PID 2116 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
PID 1664 wrote to memory of 2120 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 1664 wrote to memory of 2120 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 1664 wrote to memory of 2120 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 1664 wrote to memory of 1756 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 1664 wrote to memory of 1756 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 1664 wrote to memory of 1756 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 2120 wrote to memory of 2636 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
PID 2120 wrote to memory of 2636 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
PID 2120 wrote to memory of 2636 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
PID 2636 wrote to memory of 2504 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 2636 wrote to memory of 2504 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 2636 wrote to memory of 2504 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 2636 wrote to memory of 1000 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 2636 wrote to memory of 1000 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 2636 wrote to memory of 1000 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 2504 wrote to memory of 1728 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
PID 2504 wrote to memory of 1728 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
PID 2504 wrote to memory of 1728 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
PID 1728 wrote to memory of 2368 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 2368 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 2368 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 1692 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 1692 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 1728 wrote to memory of 1692 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 2368 wrote to memory of 1676 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
PID 2368 wrote to memory of 1676 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
PID 2368 wrote to memory of 1676 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
PID 1676 wrote to memory of 2992 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 1676 wrote to memory of 2992 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 1676 wrote to memory of 2992 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 1676 wrote to memory of 1108 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 1676 wrote to memory of 1108 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 1676 wrote to memory of 1108 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 2992 wrote to memory of 2980 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
PID 2992 wrote to memory of 2980 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
PID 2992 wrote to memory of 2980 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
PID 2980 wrote to memory of 2408 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 2980 wrote to memory of 2408 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 2980 wrote to memory of 2408 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 2980 wrote to memory of 568 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 2980 wrote to memory of 568 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe
PID 2980 wrote to memory of 568 N/A C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe

"C:\Users\Admin\AppData\Local\Temp\20ba93789eb7001ba9e4842bcc69fe62.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ModemLogs\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\ModemLogs\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\en-US\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Logs\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\fr-FR\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\explorer.exe'" /rl HIGHEST /f

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe

"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43d43bdd-4c94-4b42-8161-f498eb34e50b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbf7d071-e203-4ab2-a638-4bfeeb653aa0.vbs"

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe

"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d8c3e02-64cd-4f6f-b8b3-04e61ae934b4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9d807b6-316e-4868-9e16-8d60c5a5bc85.vbs"

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe

"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d70860a-ddae-4f72-97fd-0645552c7efb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddad156a-4cbf-428d-b667-b934704c8f21.vbs"

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe

"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b320144-3cfe-4cdc-9868-932c722113aa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24218eae-ef98-46c1-9093-4143d8621ca5.vbs"

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe

"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf9eab9e-52cf-4254-957d-6516660b970f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2e687e3-daf9-42a1-b9e4-e26e6d29b203.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp

Files

memory/2116-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

memory/2116-1-0x0000000000CD0000-0x000000000102A000-memory.dmp

memory/2116-2-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/2116-3-0x00000000001C0000-0x00000000001CE000-memory.dmp

memory/2116-10-0x00000000005E0000-0x00000000005F2000-memory.dmp

memory/2116-9-0x00000000005C0000-0x00000000005C8000-memory.dmp

memory/2116-8-0x0000000000490000-0x00000000004A6000-memory.dmp

memory/2116-11-0x0000000000600000-0x000000000060C000-memory.dmp

memory/2116-7-0x0000000000480000-0x0000000000490000-memory.dmp

memory/2116-6-0x00000000001E0000-0x00000000001E8000-memory.dmp

memory/2116-5-0x0000000000460000-0x000000000047C000-memory.dmp

memory/2116-4-0x00000000001D0000-0x00000000001D8000-memory.dmp

memory/2116-13-0x00000000005F0000-0x0000000000600000-memory.dmp

memory/2116-14-0x0000000000610000-0x000000000061A000-memory.dmp

memory/2116-12-0x00000000005D0000-0x00000000005D8000-memory.dmp

memory/2116-15-0x000000001AF20000-0x000000001AF76000-memory.dmp

memory/2116-19-0x0000000000650000-0x0000000000658000-memory.dmp

memory/2116-18-0x0000000000640000-0x000000000064C000-memory.dmp

memory/2116-17-0x0000000000630000-0x0000000000638000-memory.dmp

memory/2116-16-0x0000000000620000-0x000000000062C000-memory.dmp

memory/2116-20-0x0000000000C20000-0x0000000000C32000-memory.dmp

memory/2116-21-0x0000000002430000-0x000000000243C000-memory.dmp

memory/2116-22-0x0000000002540000-0x000000000254C000-memory.dmp

memory/2116-24-0x000000001AA60000-0x000000001AA6C000-memory.dmp

memory/2116-25-0x000000001AF70000-0x000000001AF7C000-memory.dmp

memory/2116-31-0x000000001B050000-0x000000001B05E000-memory.dmp

memory/2116-36-0x000000001B120000-0x000000001B12C000-memory.dmp

memory/2116-35-0x000000001B110000-0x000000001B11A000-memory.dmp

memory/2116-34-0x000000001B100000-0x000000001B108000-memory.dmp

memory/2116-33-0x000000001B0F0000-0x000000001B0FC000-memory.dmp

memory/2116-32-0x000000001B060000-0x000000001B068000-memory.dmp

memory/2116-30-0x000000001B040000-0x000000001B048000-memory.dmp

memory/2116-29-0x000000001B030000-0x000000001B03E000-memory.dmp

memory/2116-28-0x000000001B010000-0x000000001B01A000-memory.dmp

memory/2116-27-0x000000001B020000-0x000000001B02C000-memory.dmp

memory/2116-26-0x000000001AF80000-0x000000001AF88000-memory.dmp

memory/2116-23-0x000000001AA50000-0x000000001AA58000-memory.dmp

C:\Program Files\Windows Defender\en-US\audiodg.exe

MD5 20ba93789eb7001ba9e4842bcc69fe62
SHA1 4f2de529f2094f978d35cfb040cbd6e7c6274f98
SHA256 5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db
SHA512 327f2a7900f9900a6fb6f86f46efb8936b0327142f8e7120cd9d3db7b87b762c2288971b48ffe8fd3ec2e751f492652fb87da8197becf9b30e59b3d9247934b1

memory/1664-67-0x00000000000B0000-0x000000000040A000-memory.dmp

memory/2116-68-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/1664-69-0x0000000002360000-0x0000000002372000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\43d43bdd-4c94-4b42-8161-f498eb34e50b.vbs

MD5 f26e149b3c0ce4409db1d4f5732985da
SHA1 218166c870146a548edc218000403f5ecbabff29
SHA256 1b5e0127052f9bd5c22777530b81298d85153a5db99e119cc8f9425ce0cbad2e
SHA512 daf7a3e9e127277d70a8235072b6275adbbbb5e94417504a911c846f3648b4b7ad4a87746e1e3c582e9495f0ee01f60629be3fee7e828c8cb3a0e9c222b928e1

C:\Users\Admin\AppData\Local\Temp\cbf7d071-e203-4ab2-a638-4bfeeb653aa0.vbs

MD5 a46c3ab94c64ef6219f3a7aac0a61110
SHA1 f82820ec122ae0b3fd3e386e4dbd3382a7338e58
SHA256 9df540bd841744aa2c34309bd4815176d4574190e9d500628c21c0cd02db373c
SHA512 25b6a6b1ced230844de60d030cf8bb8b4778abd9de9788e6cf50e06b25a8fc7ceb8c8d2691402ff15447349183714f0119545c90192af1203a11a2dccef9c20c

memory/2636-80-0x0000000000E80000-0x00000000011DA000-memory.dmp

memory/2636-81-0x000000001A970000-0x000000001A982000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4d8c3e02-64cd-4f6f-b8b3-04e61ae934b4.vbs

MD5 33df8bde753ffcbad8f1cef4889b0758
SHA1 4c671b34ab2dd2df4d6c9e4bc9dbcdcf512bedf8
SHA256 54442147a0624d17700c024131c24fdd63960e7bf32f3f5ab79b2fcc1c513739
SHA512 12b684f6586cfb31af69a86df632b8e1607d6316eb9735aa103c5a3c10635caeb8e8289f500a5bf407f6e1f48b34cd9b2cc65e53829b8c67b969f23b4bc92b07

C:\Users\Admin\AppData\Local\Temp\f00ff39d9f2d704cff7eff53b76408fcad5bb285.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1728-93-0x0000000000380000-0x00000000006DA000-memory.dmp

memory/1728-94-0x0000000002400000-0x0000000002412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4d70860a-ddae-4f72-97fd-0645552c7efb.vbs

MD5 103aa6fc227fe3e723666bd459630cf0
SHA1 e24c8d6e4d47ecba040b87a11efb7f7376243b54
SHA256 fd8d4fc8703fa938f12f72e1a98b87537639f0890e399fb955f7914876667e2f
SHA512 c88198ed3a3b4e0c8b76768b5d1ab7a1b239d84fee6f38c90f7d1b66d4c81e8393e558b4183ae5f716ff11f767cf0a220674211554c985be92cd4a6d812afca5

memory/1676-106-0x0000000000930000-0x0000000000C8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5b320144-3cfe-4cdc-9868-932c722113aa.vbs

MD5 2e92ca47e7bf7d1b846410be74776f73
SHA1 9fbbe5a6deb0f217095f7226669e97b790530ab4
SHA256 bf37395c7c85368d0c69088ca40e7b7b0a19b09ab6b9b7cb7d2244f7d402c0d0
SHA512 7079e24d2440d621b9446f28e4a31f348248920a529afd6cd36cf2ec3b7066066d02f31da25e3ace2a236eab53365f0b4189bed153e3b2cb991dbe9a00ce5897

memory/2980-118-0x00000000000E0000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bf9eab9e-52cf-4254-957d-6516660b970f.vbs

MD5 2002ee38de7099ab2a606d7ebf47adda
SHA1 84902cf1ccd4bb71a8ef913a7ace6a83d9bc02e1
SHA256 1abe260ae2086d4f4b35c9b2d343a7c3b7e6a5a5fbb6eb657813ab322f650d98
SHA512 6419529822b8c77b3c599d9f06e92d4081d1f2c6e9c0c96618a65df9a066442008735438b0f0ef65166344aaf4b6765e8230cfb546d45ef13261f18f8fe3a6d9