Malware Analysis Report

2024-10-10 13:08

Sample ID 240617-je8s3szhnd
Target 1c56f7e7eddc792f68ac6f3cab2a4681.exe
SHA256 b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2

Threat Level: Known bad

The file 1c56f7e7eddc792f68ac6f3cab2a4681.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

Process spawned unexpected child process

DCRat payload

UAC bypass

Dcrat family

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 07:36

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 07:36

Reported

2024-06-17 07:38

Platform

win7-20240508-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\RCX364E.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\dtplugin\RCX4035.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\dtplugin\RCX4034.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\RCX3439.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\it-IT\RCX3030.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\RCX364D.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\RCX38BF.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\dtplugin\smss.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files (x86)\Windows Media Player\de-DE\56085415360792 C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\ja-JP\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\ja-JP\RCX2722.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\csrss.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files (x86)\Internet Explorer\csrss.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files\Java\jre7\bin\dtplugin\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\ja-JP\RCX2723.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\it-IT\RCX2FC2.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\it-IT\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files\Java\jre7\bin\dtplugin\smss.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\RCX3438.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\RCX38C0.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files (x86)\Internet Explorer\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ehome\ja-JP\csrss.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Windows\ehome\ja-JP\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Windows\ehome\ja-JP\RCX2BA8.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Windows\ehome\ja-JP\RCX2BA9.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Windows\ehome\ja-JP\csrss.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\cmd.exe
PID 2100 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\cmd.exe
PID 2100 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\cmd.exe
PID 2228 wrote to memory of 564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2228 wrote to memory of 564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2228 wrote to memory of 564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2228 wrote to memory of 848 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe
PID 2228 wrote to memory of 848 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe
PID 2228 wrote to memory of 848 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe
PID 848 wrote to memory of 2680 N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe C:\Windows\System32\WScript.exe
PID 848 wrote to memory of 2680 N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe C:\Windows\System32\WScript.exe
PID 848 wrote to memory of 2680 N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe C:\Windows\System32\WScript.exe
PID 848 wrote to memory of 2600 N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe C:\Windows\System32\WScript.exe
PID 848 wrote to memory of 2600 N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe C:\Windows\System32\WScript.exe
PID 848 wrote to memory of 2600 N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe C:\Windows\System32\WScript.exe
PID 2680 wrote to memory of 2456 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe
PID 2680 wrote to memory of 2456 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe
PID 2680 wrote to memory of 2456 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe
PID 2456 wrote to memory of 2376 N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe C:\Windows\System32\WScript.exe
PID 2456 wrote to memory of 2376 N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe C:\Windows\System32\WScript.exe
PID 2456 wrote to memory of 2376 N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe C:\Windows\System32\WScript.exe
PID 2456 wrote to memory of 2496 N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe C:\Windows\System32\WScript.exe
PID 2456 wrote to memory of 2496 N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe C:\Windows\System32\WScript.exe
PID 2456 wrote to memory of 2496 N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe C:\Windows\System32\WScript.exe
PID 2376 wrote to memory of 2748 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe
PID 2376 wrote to memory of 2748 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe
PID 2376 wrote to memory of 2748 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe
PID 2748 wrote to memory of 596 N/A C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe

"C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\ehome\ja-JP\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ehome\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1tAmoV2IV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe

"C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\509e1094-a675-40b6-a46f-fb166eaaee03.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03b2e333-47f7-439d-a25f-9c2cdc0aa032.vbs"

C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe

"C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04d6dcbc-f16b-443b-ba17-8dff7b15a6a3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cea80661-0164-43f2-927e-e5afa0f6a398.vbs"

C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe

"C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c5f2f4b-81c5-4cff-9db2-d7bf1e0a4861.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8aaceb27-ca44-489f-a08a-d1e22b34ccd9.vbs"

C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe

"C:\Program Files (x86)\Windows Sidebar\ja-JP\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edfe257d-9713-433f-bba3-d4f570f253aa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d3467a8-9917-41a1-8be5-0147bbf3d084.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp

Files

memory/2100-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

memory/2100-1-0x0000000000FF0000-0x00000000012EE000-memory.dmp

memory/2100-2-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

memory/2100-3-0x0000000000550000-0x0000000000558000-memory.dmp

memory/2100-4-0x0000000000560000-0x000000000057C000-memory.dmp

memory/2100-5-0x0000000000580000-0x0000000000588000-memory.dmp

memory/2100-6-0x0000000000590000-0x00000000005A0000-memory.dmp

memory/2100-9-0x0000000000A80000-0x0000000000A90000-memory.dmp

memory/2100-8-0x00000000005C0000-0x00000000005C8000-memory.dmp

memory/2100-7-0x00000000005A0000-0x00000000005B6000-memory.dmp

memory/2100-10-0x0000000000A70000-0x0000000000A7A000-memory.dmp

memory/2100-11-0x0000000000D50000-0x0000000000DA6000-memory.dmp

memory/2100-12-0x0000000000A90000-0x0000000000A9C000-memory.dmp

memory/2100-15-0x0000000000DA0000-0x0000000000DB2000-memory.dmp

memory/2100-14-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

memory/2100-13-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

memory/2100-16-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

memory/2100-19-0x0000000000E80000-0x0000000000E8C000-memory.dmp

memory/2100-18-0x0000000000E70000-0x0000000000E7C000-memory.dmp

memory/2100-17-0x0000000000E60000-0x0000000000E68000-memory.dmp

memory/2100-27-0x000000001AE30000-0x000000001AE3C000-memory.dmp

memory/2100-26-0x000000001AE20000-0x000000001AE2A000-memory.dmp

memory/2100-25-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

memory/2100-24-0x0000000000FD0000-0x0000000000FDC000-memory.dmp

memory/2100-23-0x0000000000FC0000-0x0000000000FC8000-memory.dmp

memory/2100-22-0x0000000000FB0000-0x0000000000FBE000-memory.dmp

memory/2100-21-0x0000000000E90000-0x0000000000E9A000-memory.dmp

memory/2100-20-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

memory/2100-30-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe

MD5 1c56f7e7eddc792f68ac6f3cab2a4681
SHA1 ec7d386f705bec9d369afc8a01cfcbfb36f7518d
SHA256 b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2
SHA512 2adaaa4d4a506958541f8de3448d13a014da7f00124f8844b9ebd43af8d82834ee549a08fe4685fdd7865890139b2a718c737f8ac4b1520f0db8fa6e5dbfde8e

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe

MD5 6335b3705f1fdd1eb28d684f1ffea94a
SHA1 b5ae31a2c84c04b4e9de31009f30ce7ca55ad719
SHA256 78ea8095d204f1f920cfb4f21c7bc43844f0f39ecf7ddf03a5f94ea8388a9db2
SHA512 9eda2ed877fe072b264aa10d4231cc346ba0cb2327a63da6b50b7b6df5c9fa08e40bf577e26a906b6b0805134dd4b757f6ec8565b9a308d8bfc93d11cc9746ac

C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe

MD5 039eb428e40e87fbc1d66c646fe1f79a
SHA1 892deee2ee85de0f061836813c803c29d070dc5f
SHA256 ded3d7f09b13c90953dc565cd62179500b462eead03a9db983e98c80b25c4292
SHA512 7f42dd5deffad650b35f4b41242817c40b338d63fed14d2d7f714e48fd39f846adf2f04f9fe619a9cf772c9a62e3897524dcff3fad2a16e4c23f2d04e2f66075

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe

MD5 6768c05ea1380fbfa36d83c602ddba82
SHA1 7f3ccf2d3e0d9304915130de532f72bd47133096
SHA256 505f3bf1dd2dd2d1b4115fd53b53c09187a6495f82c87df8f37fc7a43a358c6e
SHA512 5e079ae2616677acd25645d04fbef1f79f036d296cebafe32317228ebdf9c4726d8fc405d4fd0299de2ade101c9ed8959eb26dd5012bcaeda016d87a8b9a248d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EZK8DFSCA0MNN6UFV1ME.temp

MD5 33ca58a940a7b412fd8e7303f43fe6b2
SHA1 48e53daac7aff5522952dde24a2cfdc0e9609dc3
SHA256 018fe1f2dc25dbe36ac644baab7348ae6a57353879da707b057a64e6190c713d
SHA512 3784ac3fcc671509178767ccf4c2b2887db652312928981b71b905d92ddd102067dbd07451b2d39f63c61ef222884c694965d4bc1f907ccf839fb97c6fc196b8

memory/2100-210-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

memory/2828-217-0x0000000002860000-0x0000000002868000-memory.dmp

memory/2828-212-0x000000001B6A0000-0x000000001B982000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a1tAmoV2IV.bat

MD5 cbdee54f1e873cc2754bcd44835c1dff
SHA1 5266db29d14623a77447df21eb038d572da1b6b6
SHA256 e00afad46413cc09c1efde5a2e197aff3929a9ce0c73f5d160534052e51a65b8
SHA512 bb40b64e48f5e6c924a4d6216469531a70bd2d0e242087a2ae48f37c58e274aee7e176a50f39eebc93de379c57aceb07cc9f88cdfcef233a7e95cd9b307e243f

memory/848-266-0x0000000001120000-0x000000000141E000-memory.dmp

memory/848-267-0x0000000000570000-0x00000000005C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\509e1094-a675-40b6-a46f-fb166eaaee03.vbs

MD5 f782a53379e8b1ea811282024b40c544
SHA1 2460322f15e20f04c0df9dcd79b4dbbe67f5a396
SHA256 c141047f496fa4d72f94d2ebc73ca0c04dd63138997f295ac0bf396ef0eef187
SHA512 4e5222719e16f2b4c14fa5d615bda2b4c2c9a2a998eb014c4e2c629eac1ec4e2827ef640c52b15bc7db5e8e80fd06a7fa3c2a9c18b589708bdd747d4daccf560

C:\Users\Admin\AppData\Local\Temp\03b2e333-47f7-439d-a25f-9c2cdc0aa032.vbs

MD5 f4fca86c92eb2a661f1757be4c7cfdaf
SHA1 962bab0e13704c21b58b3591a6ebedf0c2c29812
SHA256 b52f00c14d9a7bf8af7dc4ff0d80760e5a511f00afc60e0e9145cd4bb7bc0a9e
SHA512 a4659df1194331a7abdc315f3b8202e9124161db51e2c021baf5fcfa7085c2b67d4f613104a70e70d7663dd5fcc74f85bdb7d7a6800a572815ffb3d5d6ac452c

memory/2456-278-0x00000000000E0000-0x00000000003DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\04d6dcbc-f16b-443b-ba17-8dff7b15a6a3.vbs

MD5 43185f62ef6a3e8e3d90f4ae1200943c
SHA1 90382b6f5b35ced8f68539165f4942b377ac5ae0
SHA256 b563925017e5733441468407830e21814bfb4df6c658f7b914d715fcb0b1956c
SHA512 4badb61bca7607ae15d1543fd0f889ebdb038a383fb9d8c1ce33153f0c98c305bcbc1c2384822cee94554a3ea2b341b0130b6db44425b1da7e6a7c46ba2eee04

memory/2748-290-0x0000000000D90000-0x000000000108E000-memory.dmp

memory/2748-291-0x0000000000AB0000-0x0000000000B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1c5f2f4b-81c5-4cff-9db2-d7bf1e0a4861.vbs

MD5 16abcb5d16b40c4a237b83b9de2a2685
SHA1 cac56964afc669821a68923ec031fd74c4c6eb5b
SHA256 cca3d98e23ff738f262765e1ef957433dcaac10ba206602423f358bd579d421b
SHA512 92ad0819c30809a1a5e8ab370e87ab26812c132943c6d3d4dbf7752be9b97d0d21600ac79c1dbebfef6083d64b1eb2ef47b0695f2bccfc4b30f714702ffd64f6

memory/1524-303-0x0000000000F40000-0x000000000123E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\edfe257d-9713-433f-bba3-d4f570f253aa.vbs

MD5 88a484b0e02563de2afdd8da81bd4203
SHA1 015c0c2377d41861e0978c36fe2b8a13b464c319
SHA256 a936668dc02aa59ad60de86e2a921ac806e2ded411a170fa1ed6d23620997156
SHA512 032b37363a503a9657c75bf72eb20199cc9c2a70a9cc4e06b9803a42d946dd91df67845ee87c1a8e9c9c824aedb28e60185210026e1d6f0e454d69888f6579cf

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 07:36

Reported

2024-06-17 07:38

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SearchApp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\RCXE58.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\sihost.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files\Windows Sidebar\sihost.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\reports\RCXFC87.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files\MsEdgeCrashpad\reports\msedge.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RCX6C0.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\RCXDDA.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files\Windows Sidebar\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXF9F5.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\reports\RCXFC09.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\reports\msedge.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files\MsEdgeCrashpad\reports\61a52ddc9dd915 C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXF9F4.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RCX6C1.tmp C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Recovery\WindowsRE\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Recovery\WindowsRE\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Recovery\WindowsRE\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Recovery\WindowsRE\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Recovery\WindowsRE\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Recovery\WindowsRE\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Recovery\WindowsRE\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Recovery\WindowsRE\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Recovery\WindowsRE\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Recovery\WindowsRE\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Recovery\WindowsRE\SearchApp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1072 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 5428 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 1072 wrote to memory of 5428 N/A C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 5428 wrote to memory of 5816 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5428 wrote to memory of 5816 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5428 wrote to memory of 5860 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5428 wrote to memory of 5860 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5816 wrote to memory of 2832 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 5816 wrote to memory of 2832 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 2832 wrote to memory of 5424 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 2832 wrote to memory of 5424 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 2832 wrote to memory of 3732 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 2832 wrote to memory of 3732 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5424 wrote to memory of 3104 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 5424 wrote to memory of 3104 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 3104 wrote to memory of 4392 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 3104 wrote to memory of 4392 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 3104 wrote to memory of 4232 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 3104 wrote to memory of 4232 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 4392 wrote to memory of 5596 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 4392 wrote to memory of 5596 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 5596 wrote to memory of 5332 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5596 wrote to memory of 5332 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5596 wrote to memory of 5664 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5596 wrote to memory of 5664 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5332 wrote to memory of 2320 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 5332 wrote to memory of 2320 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 2320 wrote to memory of 1248 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 2320 wrote to memory of 1248 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 2320 wrote to memory of 3448 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 2320 wrote to memory of 3448 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 1248 wrote to memory of 5788 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 1248 wrote to memory of 5788 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 5788 wrote to memory of 5432 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5788 wrote to memory of 5432 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5788 wrote to memory of 5796 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5788 wrote to memory of 5796 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5432 wrote to memory of 5820 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 5432 wrote to memory of 5820 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 5820 wrote to memory of 1604 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5820 wrote to memory of 1604 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5820 wrote to memory of 4108 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe
PID 5820 wrote to memory of 4108 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\SearchApp.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe

"C:\Users\Admin\AppData\Local\Temp\1c56f7e7eddc792f68ac6f3cab2a4681.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Program Files\MsEdgeCrashpad\reports\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\reports\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Program Files\MsEdgeCrashpad\reports\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4572,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Recovery\WindowsRE\SearchApp.exe

"C:\Recovery\WindowsRE\SearchApp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1174bd5f-555d-4713-bbcb-dc5d00cf6423.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d0f33a0-9ad0-43e0-bbe5-1662a6d12066.vbs"

C:\Recovery\WindowsRE\SearchApp.exe

C:\Recovery\WindowsRE\SearchApp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af1b58e0-5ec5-4d59-b4fa-9517b889b465.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2173ef6-c008-4d9f-a123-4f8cd94d9dfd.vbs"

C:\Recovery\WindowsRE\SearchApp.exe

C:\Recovery\WindowsRE\SearchApp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\001dad3b-bb98-407c-8131-71786062d75d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22e96b7d-1ebf-4145-af3f-857a1da8bfb9.vbs"

C:\Recovery\WindowsRE\SearchApp.exe

C:\Recovery\WindowsRE\SearchApp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14831929-8b14-49e4-9878-25f8c7d0297b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\804833a3-c017-4d29-bf99-59d1b62b923c.vbs"

C:\Recovery\WindowsRE\SearchApp.exe

C:\Recovery\WindowsRE\SearchApp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ae292cb-ca81-4cac-b7fe-0e625964dc5a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ab0a543-51ce-42db-b1ee-a37e48cb433b.vbs"

C:\Recovery\WindowsRE\SearchApp.exe

C:\Recovery\WindowsRE\SearchApp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11d4f15f-50a9-4dd4-a772-87681898966d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14f17b6d-35f5-4080-8bf1-cb6c6f8ad683.vbs"

C:\Recovery\WindowsRE\SearchApp.exe

C:\Recovery\WindowsRE\SearchApp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8e613c0-1fab-45a7-a6b4-714481fd58d7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c91a8d65-30b1-42e5-99d2-b58f418cfe8f.vbs"

C:\Recovery\WindowsRE\SearchApp.exe

C:\Recovery\WindowsRE\SearchApp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b1f3276-5dcb-4f92-907b-a052242d7e89.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\132fa415-bafd-4f60-9a9b-af882afb3ee5.vbs"

C:\Recovery\WindowsRE\SearchApp.exe

C:\Recovery\WindowsRE\SearchApp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f5fc8e2-4972-4cb2-85b5-5dce31d9f662.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cee1055-15c2-4929-9e19-daadb303664b.vbs"

C:\Recovery\WindowsRE\SearchApp.exe

C:\Recovery\WindowsRE\SearchApp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a9cf3f7-0edf-4c04-aad4-c946d2dd5724.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb5fe26a-84b1-4b73-9f40-df0070d214ab.vbs"

C:\Recovery\WindowsRE\SearchApp.exe

C:\Recovery\WindowsRE\SearchApp.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff7796b0-b00d-483a-bab6-b308ebd321fc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\012b45b0-7fe3-4894-a5f1-b03e09c5fbd8.vbs"

C:\Recovery\WindowsRE\SearchApp.exe

C:\Recovery\WindowsRE\SearchApp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp
US 8.8.8.8:53 a0986195.xsph.ru udp

Files

memory/1072-0-0x00007FFBF7EF3000-0x00007FFBF7EF5000-memory.dmp

memory/1072-1-0x0000000000580000-0x000000000087E000-memory.dmp

memory/1072-2-0x00007FFBF7EF0000-0x00007FFBF89B1000-memory.dmp

memory/1072-3-0x0000000002BA0000-0x0000000002BA8000-memory.dmp

memory/1072-4-0x0000000002BB0000-0x0000000002BCC000-memory.dmp

memory/1072-5-0x000000001BB40000-0x000000001BB90000-memory.dmp

memory/1072-6-0x0000000002BD0000-0x0000000002BD8000-memory.dmp

memory/1072-7-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

memory/1072-8-0x0000000002BF0000-0x0000000002C06000-memory.dmp

memory/1072-9-0x0000000002C10000-0x0000000002C18000-memory.dmp

memory/1072-10-0x0000000002C30000-0x0000000002C40000-memory.dmp

memory/1072-11-0x000000001B510000-0x000000001B51A000-memory.dmp

memory/1072-12-0x000000001BB90000-0x000000001BBE6000-memory.dmp

memory/1072-13-0x000000001B520000-0x000000001B52C000-memory.dmp

memory/1072-14-0x000000001BBE0000-0x000000001BBE8000-memory.dmp

memory/1072-15-0x000000001BBF0000-0x000000001BBFC000-memory.dmp

memory/1072-16-0x000000001BC00000-0x000000001BC12000-memory.dmp

memory/1072-17-0x000000001C160000-0x000000001C688000-memory.dmp

memory/1072-18-0x000000001BC30000-0x000000001BC3C000-memory.dmp

memory/1072-19-0x000000001BC40000-0x000000001BC48000-memory.dmp

memory/1072-20-0x000000001BC50000-0x000000001BC5C000-memory.dmp

memory/1072-21-0x000000001BC60000-0x000000001BC6C000-memory.dmp

memory/1072-22-0x000000001BEE0000-0x000000001BEE8000-memory.dmp

memory/1072-26-0x000000001BEA0000-0x000000001BEAC000-memory.dmp

memory/1072-25-0x000000001BD90000-0x000000001BD98000-memory.dmp

memory/1072-28-0x000000001BEC0000-0x000000001BECA000-memory.dmp

memory/1072-27-0x000000001BEB0000-0x000000001BEB8000-memory.dmp

memory/1072-24-0x000000001BD80000-0x000000001BD8E000-memory.dmp

memory/1072-23-0x000000001BD70000-0x000000001BD7A000-memory.dmp

memory/1072-29-0x000000001BED0000-0x000000001BEDC000-memory.dmp

memory/1072-32-0x00007FFBF7EF0000-0x00007FFBF89B1000-memory.dmp

memory/1072-33-0x00007FFBF7EF0000-0x00007FFBF89B1000-memory.dmp

C:\Recovery\WindowsRE\RuntimeBroker.exe

MD5 1c56f7e7eddc792f68ac6f3cab2a4681
SHA1 ec7d386f705bec9d369afc8a01cfcbfb36f7518d
SHA256 b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2
SHA512 2adaaa4d4a506958541f8de3448d13a014da7f00124f8844b9ebd43af8d82834ee549a08fe4685fdd7865890139b2a718c737f8ac4b1520f0db8fa6e5dbfde8e

C:\Program Files\MsEdgeCrashpad\reports\msedge.exe

MD5 c23f505acfe9b974c86728dcb6928d5d
SHA1 33aa7a0dd6ed4f414101dd63116193afc20f2a0f
SHA256 ce50b9be9e6dcad687497edabcd19fbe9dd6374b359bc5ab02694f36912097d7
SHA512 ccb3601a240c476ffd5f0fb1d044f12ebc91f1949649edddecd7f5f9dee1c7cd2b98a9984a10bb358cc118bf7e3c2962e0c8daf305c5cb11a4e6805407fde038

C:\Recovery\WindowsRE\SearchApp.exe

MD5 e123798ef032135aed23c8b4adf7a175
SHA1 7191560c1f8fd5c33480197e34cb78c41aa3da38
SHA256 14a08dc82256aea13a247891c14a653dc5cb6644bdc2053198e58ea1102f43be
SHA512 bd0ff48ddb367b5f00747f59989c5ee50c594daa971f91ed39a75c6a7e3863ebe02f700682630a03938c313234b2ef6e4833680ad524a8f3935aa50b3d07f674

C:\Recovery\WindowsRE\RuntimeBroker.exe

MD5 57a035eecdc1289a1a4528f55d777a39
SHA1 28e626aaa98ecf53e24da849aed932e337c0ad0e
SHA256 715eae7bea7de6e100395e735efa45d86e4324b91b9084bd0c8337149a0633da
SHA512 3087074ebf6802dc00512b4a872cfa5d0cb39581ef83928ed29683e11d091fa026dd342f17cf7742cd22ca5abac2bcccaee6028ee55c2b3a42d5d20503ca35b1

C:\Users\Default\Saved Games\winlogon.exe

MD5 236abfdaf6d504619549f1b7caa79f05
SHA1 7b682effe9f6681eff6ed48b57c4e38c4061703f
SHA256 68b27ce0d34b5fc2ad27d6da4525dcaf5611fddd75193cc4ea0ae7bf8a6e88b6
SHA512 90a5378783d6ac0dcadb11083126bb702bab7d55c22eade773e740dd05eedf95e635c28d673fd0b96eafc143250c17bcdba813d2a888dfb0d2d89c2fe18396cf

C:\Recovery\WindowsRE\msedge.exe

MD5 c2b51ea6138d4f1b04fbf2c4edd4e576
SHA1 e7ec352072a65cbcf1e4e8fd960e78b8d1673d90
SHA256 dff5c121d3fe459f9be21825c627c2df154621bbf6f47f2ae5b5d3d87862c49b
SHA512 d24b3f81ee83be44415902a26553eebfc9cf5419946a68abc69eb0d958e41d6605b82d2239019bc4eed22b48100ab8edcab90fe38f679765c9380bc2f7621185

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lt0frvpi.ln0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2140-214-0x000001F51E880000-0x000001F51E8A2000-memory.dmp

memory/1072-343-0x00007FFBF7EF0000-0x00007FFBF89B1000-memory.dmp

memory/5428-344-0x0000000000940000-0x0000000000C3E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a5e1f1efff867a822c6a57ee928dd66
SHA1 b017854d8a1deb05f1447e9dd6002902fb66bf6b
SHA256 8222fe869b025493591ca2ffbabe089c2e682449e77b754fc864ba62d64ee957
SHA512 25fc0fd6a71595c44efe34d281c4bc4924ac82f76b9f697497d0019fa2c8e0cadf58f92ae4272f00b1ef1e97dfd93bd740a9e7f7d9dc93cb1cadbde5f93d1782

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Temp\1174bd5f-555d-4713-bbcb-dc5d00cf6423.vbs

MD5 3dce647f5f63be778e6f2bc650317ce5
SHA1 baee6e89ba747f9940036a8111d8be5f37b33e4e
SHA256 89a9ca26fa43a31cb7199a8cd03ea3cd0fa4da57efd31ca7339698905fcfcb27
SHA512 1d100ed6defbce58b085e307f0b0d23034dcc1b2bd0805886a7781c0d66fe1732e6491ace9317eae0d9241876f378b8bddd73ce0de506986d82197ad2813f333

C:\Users\Admin\AppData\Local\Temp\2d0f33a0-9ad0-43e0-bbe5-1662a6d12066.vbs

MD5 a0510cc1b27019365aee228a9051bbc4
SHA1 6bdc744ef1b24c63b26e75a8f7dfc4e567815ed0
SHA256 2e5beed6d470c049669ab1dac0730dd62ad74454069012479469699413242a0f
SHA512 f921271c7182b814d911d6dd1ff3271528cf840ea15cd4dcd3c4eb8a741e37b8480d265164c2b2bd57b6bf5ac4354f285b1ebc10de483f8f1f2435e46f1eb20d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\af1b58e0-5ec5-4d59-b4fa-9517b889b465.vbs

MD5 97cd69260c68f9fb25fc978e3e24d5f0
SHA1 9afa430f2172683ed75cd78b7a66d60ba779a7f2
SHA256 2104122a7b96987238405d3f4e0df825c3c34a913986011a425d987a4752a347
SHA512 bc6c2701e34017d183fc81c707911702edf521bfbcdd7dc4454ece70c8f42bd3a351a16c47bb0a0f19e2be71e9dae3e63b983ea04b7966ca81f3ca41bf3b4e8a

C:\Users\Admin\AppData\Local\Temp\001dad3b-bb98-407c-8131-71786062d75d.vbs

MD5 97b4652ecc9274956cdb9fa5c9ef9827
SHA1 5f64b86a35679dc9aa53be5095938683db0d896f
SHA256 7b9a145f9dddbf9a3cafd4562469f71719c3a5a36109caeea3f7b16bae9e6bcb
SHA512 e8e7e61aa2fd7963c2802651b87d3b5272841e48ac8f1c7bc7301e4f6c1190aa4caef55cfc22fdc9d38d34c1b87cc268639bc2bd96d90416c8a247b9bdb59700

memory/5596-402-0x000000001B7C0000-0x000000001B7D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\14831929-8b14-49e4-9878-25f8c7d0297b.vbs

MD5 9ea5972708c93260f9307af56c30eb1e
SHA1 18e3158ecb7dd25ec17ef968f1be6531250fce2f
SHA256 36e5401d4d3d1e1a7f82bf910274a558eac146b500882c1f31d8aaf77cb42e09
SHA512 a6f9e4cf09c7d5685d90c9fb3b4c4f143d573ec7e6ecaa76c36ec96d69d56134e49535e80fa0daf13a2a7669f01666dcbf5e767f121b6f6530178a8ee9beae8d

C:\Users\Admin\AppData\Local\Temp\2ae292cb-ca81-4cac-b7fe-0e625964dc5a.vbs

MD5 18778f1624be0152e2d2981731650ec6
SHA1 2d008026577130eb7e35c4be47aa87ab3bc5ed7a
SHA256 7ee1c853948fd9bf74a74b63f94c1a28a7f55a46541a2cdb3df4d18901a9fa7a
SHA512 0653bc965fae72d2722e991c0901940f9581909f88a4f90da74686437034c3ccf87bdb8089d94d053ad1cb395089467ca6da1c7e9508fcff5755add8c6b4f473

C:\Users\Admin\AppData\Local\Temp\11d4f15f-50a9-4dd4-a772-87681898966d.vbs

MD5 a3f9276b72daa66cf55ebf0aa5d8f9da
SHA1 6543597f815d0cf9ae11b564a4197f4485d3d05f
SHA256 4398091b568eebd1e91c26f828e6e69e48352f06741cd5e24e0d973f2f5d3f86
SHA512 290627d346f436d732a2f2d217db79403c54f1a9be4401dfcee23d50ef0914bc378780b4256ca84cd6394eb13c9c62f86d75760838328b261053be3961be8abd

C:\Users\Admin\AppData\Local\Temp\d8e613c0-1fab-45a7-a6b4-714481fd58d7.vbs

MD5 788887698022ec02e496125da644d581
SHA1 fd9578653eb4eb7df59cc58d2a3ec5e36d54b672
SHA256 63cc54f8d23a4178df2ce389c6908962e101997e89ba9fde9f1ffbe2840db75e
SHA512 8e5c2b27e839736ae199c69cca01fec85e02cfd67338e553bdab004af5eeee1167b836b84afd14a3de1ac87ba8bafe638132527e840be776320a154b5c461d82

C:\Users\Admin\AppData\Local\Temp\4b1f3276-5dcb-4f92-907b-a052242d7e89.vbs

MD5 c0a6fd374e8cc59d73ba8767aee239fb
SHA1 9c36cd9e3d4c55e3444440edea43f1d16d34d51a
SHA256 0846d5bf3d8b0df5fba640415754e239980957a06c8b4fed2313a4f44755380c
SHA512 6af26249dd1b83506e26709c7e70dafa7920daa0f8cb7b530c9aa960eb4ea513b2a0f2ea43c4d24316b6f16214d202f94fec748a4d3bb17df75ec056debcf4a7

C:\Users\Admin\AppData\Local\Temp\4f5fc8e2-4972-4cb2-85b5-5dce31d9f662.vbs

MD5 f7625b6406224282eaf749e42cbc1c58
SHA1 67270ef8a77897a965832dbc271753a11082d418
SHA256 5df8144c043e65ae6d79f34c5b6e6df5e1f7d3027756491ed6f9d17b11346567
SHA512 cb6f5bc5681a77d74c9454858d7b830a59cebe0941a25c6feecd8d55e42c1d4a2389a1bf03a1ea8df0e790002ccb2de2704c3978a73587aba996f7d4d744d276

C:\Users\Admin\AppData\Local\Temp\9a9cf3f7-0edf-4c04-aad4-c946d2dd5724.vbs

MD5 3fc5b9507352de3d5e545866659eab73
SHA1 05556eea43160c66fa84f95a9066050ac4c1cd14
SHA256 d46e53a707a09b5726f2cd94a08d633d0069e4672ae2657ef5c5c8ef4cb63f9e
SHA512 13fb35a46382c4204a4539dcfea99e1db1be4e01056beef0a09e0c2cbdd2a0dba09ae0e599845c6a050b36e0d1f2b440cb3e3a55be18971c25e739f54e8eb41a

C:\Users\Admin\AppData\Local\Temp\ff7796b0-b00d-483a-bab6-b308ebd321fc.vbs

MD5 d32a41162991002561868509056d9fd3
SHA1 1462e04c43c7686e8bc93b27437f66d27069d85f
SHA256 5e559f25370f4c60b7b159178b5d7f8d46bd71a45ba98e9a0ef48fa26aea9ecf
SHA512 4c6b03e8748bd1c32fe241ce90714ec05de4d678279168536dd26ef417a83314531f404dfe34f7d5b6bc6c36d352c08aff0b42d70a983c94c6a0c77025502027