Malware Analysis Report

2024-10-10 13:00

Sample ID 240617-v12sfaxdka
Target 76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe
SHA256 76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d

Threat Level: Known bad

The file 76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

DCRat payload

Process spawned unexpected child process

DcRat

UAC bypass

Dcrat family

DCRat payload

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Modifies registry class

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 17:28

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 17:28

Reported

2024-06-17 17:30

Platform

win7-20240508-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\smss.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\smss.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files\Google\Chrome\lsass.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files\Google\Chrome\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Windows Defender\de-DE\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Microsoft Office\winlogon.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Microsoft Office\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\dwm.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\WmiApRpl\0009\smss.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Windows\inf\WmiApRpl\0009\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\cmd.exe
PID 2364 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\cmd.exe
PID 2364 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\cmd.exe
PID 1440 wrote to memory of 2388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1440 wrote to memory of 2388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1440 wrote to memory of 2388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1440 wrote to memory of 296 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 1440 wrote to memory of 296 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 1440 wrote to memory of 296 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 296 wrote to memory of 2600 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 296 wrote to memory of 2600 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 296 wrote to memory of 2600 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 296 wrote to memory of 2248 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 296 wrote to memory of 2248 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 296 wrote to memory of 2248 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2600 wrote to memory of 2988 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2600 wrote to memory of 2988 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2600 wrote to memory of 2988 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2988 wrote to memory of 1416 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2988 wrote to memory of 1416 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2988 wrote to memory of 1416 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2988 wrote to memory of 2816 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2988 wrote to memory of 2816 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2988 wrote to memory of 2816 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 1416 wrote to memory of 2660 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 1416 wrote to memory of 2660 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 1416 wrote to memory of 2660 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2660 wrote to memory of 1108 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2660 wrote to memory of 1108 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2660 wrote to memory of 1108 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2660 wrote to memory of 1924 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2660 wrote to memory of 1924 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2660 wrote to memory of 1924 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 1108 wrote to memory of 2352 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 1108 wrote to memory of 2352 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 1108 wrote to memory of 2352 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2352 wrote to memory of 2320 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 2320 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 2320 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 556 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 556 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2352 wrote to memory of 556 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2320 wrote to memory of 1440 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2320 wrote to memory of 1440 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2320 wrote to memory of 1440 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 1440 wrote to memory of 2812 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 1440 wrote to memory of 2812 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 1440 wrote to memory of 2812 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 1440 wrote to memory of 1640 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 1440 wrote to memory of 1640 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 1440 wrote to memory of 1640 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 2812 wrote to memory of 316 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2812 wrote to memory of 316 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2812 wrote to memory of 316 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 316 wrote to memory of 1596 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 316 wrote to memory of 1596 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 316 wrote to memory of 1596 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 316 wrote to memory of 2476 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 316 wrote to memory of 2476 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 316 wrote to memory of 2476 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe
PID 1596 wrote to memory of 2796 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 1596 wrote to memory of 2796 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 1596 wrote to memory of 2796 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe
PID 2796 wrote to memory of 1172 N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d7" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Recent\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d" /sc ONLOGON /tr "'C:\Users\Admin\Recent\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d7" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Recent\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\WmiApRpl\0009\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\inf\WmiApRpl\0009\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\inf\WmiApRpl\0009\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\Crashpad\attachments\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\Crashpad\attachments\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\dwm.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T2ufoBU7Z2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95ad1f49-fa0a-4158-ae2b-2e87b0fd6784.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d79eeeca-7396-417c-8883-3f8c2b38f400.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef2a8698-25d1-4062-9be9-6d706a9f310f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e2c92b7-e178-42d3-a1c6-78dea4b9b5dc.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06cf052c-fc85-43ae-b3f2-54d21971af79.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88ddba3d-3d4b-47ff-b6e6-d47fd79464ac.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f5e082f-7d65-4171-b013-e6abb766178f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cffed68-7c56-4755-b1f2-a383ad3f38d0.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0db8ac8a-a496-413a-a6a8-048c7c963e8a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\612dd780-546b-4a6d-a925-e1bf20047337.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8aa004b-7c83-4428-abbe-87aeb052b646.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f015d9a-9d58-4c7b-ad35-6029c3f9e7ff.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e367c440-9da5-4e4d-b3dc-a3a150419fb7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\319b7c60-edb2-4454-95a4-240dd7ed7012.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5247c726-99e3-46de-831b-b723124a5631.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ff9cfe5-b1ea-4c77-8504-ad3af26d70f7.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fb8cf03-6559-47ed-83d4-b84b852cf0b9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95dd9534-a02b-4d05-9930-0e317c3b3486.vbs"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9748a73-fd99-432c-baf6-bfc7ae1beceb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca470e8e-e754-448e-80da-7f78c46b7437.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 a0996219.xsph.ru udp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 172.67.19.24:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 172.67.19.24:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 172.67.19.24:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 172.67.19.24:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 172.67.19.24:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 172.67.19.24:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 172.67.19.24:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 172.67.19.24:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 172.67.19.24:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp

Files

memory/2364-0-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp

memory/2364-1-0x0000000001380000-0x0000000001540000-memory.dmp

memory/2364-2-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

memory/2364-3-0x0000000000640000-0x000000000064E000-memory.dmp

memory/2364-4-0x0000000000650000-0x000000000066C000-memory.dmp

memory/2364-6-0x0000000000690000-0x00000000006A2000-memory.dmp

memory/2364-5-0x0000000000670000-0x0000000000686000-memory.dmp

memory/2364-7-0x00000000008D0000-0x00000000008E0000-memory.dmp

memory/2364-8-0x00000000008B0000-0x00000000008BA000-memory.dmp

memory/2364-9-0x00000000008C0000-0x00000000008CC000-memory.dmp

memory/2364-10-0x0000000000A80000-0x0000000000A88000-memory.dmp

memory/2364-11-0x0000000000A90000-0x0000000000A9C000-memory.dmp

memory/2364-12-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

memory/2364-13-0x0000000000C40000-0x0000000000C48000-memory.dmp

memory/2364-15-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

memory/2364-14-0x0000000000C50000-0x0000000000C5A000-memory.dmp

memory/2364-16-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

MD5 3fee7ded96ac1d470212d26fccc60898
SHA1 e2c6d4561548dab022de28002fdee09daf90eae6
SHA256 76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d
SHA512 4bbbab7f897295df7ad67ccaf9362557ece7ce352716cad8a7529ab7824b01732a9dcadf96954611c1c6628e1c0d3c59787daf243172bf1b5f12a6e6e9278ea0

C:\Users\Admin\AppData\Local\Temp\T2ufoBU7Z2.bat

MD5 3b1da803a6d9169a3c41b7480c6e997f
SHA1 eb52d499368de99e751fb4eed1230034ee92403f
SHA256 069bcd67364637f18f5313530595a12a6add98922ab6e49038598b4e23c67287
SHA512 37e997eb0365e2408309178d70c469aa6258723b0b558cf6bc64039abb9f5ca650fa2001bab7892222275726279f1d1aa38c3fad4b226c133f54188c2e2837ec

memory/2364-54-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

memory/296-57-0x0000000000920000-0x0000000000AE0000-memory.dmp

memory/296-58-0x0000000000290000-0x00000000002A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\95ad1f49-fa0a-4158-ae2b-2e87b0fd6784.vbs

MD5 a14787eaeb49405561532cacc81b19e0
SHA1 a16dd88dd1ed34623a132b606a59f37908019277
SHA256 2e54ac1824bc96687bef349a475d98243e1830b090a35efd0ee3be7d0e6415a1
SHA512 e723258c184f5dff498207043f038233e60817d53e43c2b09c81aadb15ca903cd4408c5b0e628549d3f56f2dffa0a27f2266d7175ccb18448a3107af9d792e3c

C:\Users\Admin\AppData\Local\Temp\d79eeeca-7396-417c-8883-3f8c2b38f400.vbs

MD5 0fa1d4bec0c32042186d09083326d5c8
SHA1 fb458e05f6aa39b835d5b02892aa83b16ee24a8d
SHA256 e88b13a9150e432f9c63c8f600fd6261273d5440bc5a95fdfc3ef3dfcdac77f3
SHA512 80f7929b5f7cdddf642cb0d85ecf5aef2467dd1f4c7b8c14594ad415c2f760cddeac745f62a4c9004b2136092c9fd84d322933c0d612402efb6a54e38475e0b4

memory/2988-69-0x00000000003B0000-0x0000000000570000-memory.dmp

memory/2988-70-0x0000000000970000-0x0000000000982000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ef2a8698-25d1-4062-9be9-6d706a9f310f.vbs

MD5 a8e4b673ae1d1b38b27c1c5d7497ad5f
SHA1 394fe0545302172e4b8afde868362bdbd1601ba9
SHA256 6fda26ad14966dc8605060b8ac9655138a351b62a8a23373d9a5797277762dc1
SHA512 e18c30f8b73fea5ae0d7a89aba2d352446f70c9baaa637867dbcd5378bd67cdb372234e26b8bd77b49732c9944bb117a007072a29ff4c0f538ca3d225fdbef6a

memory/2660-82-0x0000000000EC0000-0x0000000001080000-memory.dmp

memory/2660-83-0x0000000000450000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\06cf052c-fc85-43ae-b3f2-54d21971af79.vbs

MD5 af8456848882b26a84bdaac499d38264
SHA1 44091da80e12f57b0b6ccec97c7e1af69ad21cb2
SHA256 2e80ef27d3aa561697dc340161ef497486800b39125e2b03d21129f245aeebdc
SHA512 f4ee82c6adb22cf778ade944d2d9f454f6bb688d28b32da913a21fccbc15b13fcb7c54295d6fdb128d49ef8739c48e9b672bdfbe536f7c2b6293db7d9f764172

memory/2352-95-0x0000000000350000-0x0000000000362000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6f5e082f-7d65-4171-b013-e6abb766178f.vbs

MD5 88544ad934749480b797488bfddc6703
SHA1 fe7cf1d2b9fec393b587f829e14277e749361574
SHA256 924697151391a46ff21d942e2f8df9ab7c2cb978d6bbdb5e6904fd5145de8b2b
SHA512 b8ff3e85ef3e7ba026a06ea38d0e549deb8aca392d11c8ee65b4accdba650490f5b8aeef5519c4399e05ae9d35a8d041cf8d8759aaf1315f8c1f94fa1c0f4769

memory/1440-107-0x0000000001120000-0x00000000012E0000-memory.dmp

memory/1440-108-0x0000000000350000-0x0000000000362000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0db8ac8a-a496-413a-a6a8-048c7c963e8a.vbs

MD5 b232aab8ccfd9200efbaaed777b3250f
SHA1 c069c21f824a2250508eeece34bdd730ddbb354f
SHA256 a4d5811edda5d28b1510fb3f1524186e98184e4a2098ba955252aa041c6d61cd
SHA512 65d96e9df116d634f782e0b3cbd57bea30af5af412c5a1d824ebb8c483cebde8ef058810becf0c7233f677054574d35b9ede87bc0cec279bcb1012400789ddee

memory/316-120-0x0000000000030000-0x00000000001F0000-memory.dmp

memory/316-121-0x0000000000310000-0x0000000000322000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f8aa004b-7c83-4428-abbe-87aeb052b646.vbs

MD5 c793cc2195443527cf6166358237d956
SHA1 98fa25a94aba16b073d2e2e4ac7eb733936f5d1b
SHA256 9a397a0da6fe49e2c125cef0a91a2906be82a9d112f5b7974cfac4c073231770
SHA512 443a37c16085bbe24516250564fda389a67392afec600ecaca77d0e4beacf984f5ba1cfbeff26c45fdd26af135c402120c0c49f6e1a398a50ffbeec3ef077cb4

memory/2796-133-0x0000000000960000-0x0000000000B20000-memory.dmp

memory/2796-134-0x0000000000940000-0x0000000000952000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e367c440-9da5-4e4d-b3dc-a3a150419fb7.vbs

MD5 9c0d92d7b542b261b037bd7dae53d89d
SHA1 af29295ad8b7c07ca806c8c6e335c0bc5341adcd
SHA256 7d81d271d903884d85e64ceabdd9cd6eb85959e34df540b411c8f62d699002ef
SHA512 66c8eaf6f4c0a54502eb87930e073c0a15fe6a84fb548508c19684a7c7ecb83d0c3f39e27d31a7ace0e5fbee1eb693c6d68d0c63329cf2bcbbb9d2e6dc45bef9

memory/1588-146-0x0000000000C30000-0x0000000000DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5247c726-99e3-46de-831b-b723124a5631.vbs

MD5 c2c4ff6c2b783575d4d418f6272affc6
SHA1 0737aa3997d66c4dac960e7ec143fcec7c4162c8
SHA256 e3837e5c0f64a6d387f4d5af4c5f8341d766889bc1bca914025eeff75910ba2f
SHA512 5ded8ca4890e9fd2eb057aaeea4975be6a57b8ec69a9712f3ac65f4bc424f8354d9d98d5da45f464cc35dd1dd1f642ed1d42e86745cce7e4c598dafc71f936be

C:\Users\Admin\AppData\Local\Temp\0fb8cf03-6559-47ed-83d4-b84b852cf0b9.vbs

MD5 2ff516fd93ccea22c50e44248f5d51e4
SHA1 b2c2c1fee9ead9899da16155e63a4ab31f308c61
SHA256 1b5f71aca47c0f8267158943096363c5de5deedd761244cd913af0d1732353bb
SHA512 cd4b502c08e06610c170ed43d74a9562dcdb050593ae4396d894379fd80c24ed06d90a94abece3e9c7d16bdfaf293fd3c67f95b363bb2e1523f9b2d48e9c192d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 17:28

Reported

2024-06-17 17:30

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Media Player\msedge.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
File created C:\Program Files (x86)\Windows Media Player\61a52ddc9dd915 C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4028 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\cmd.exe
PID 4028 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe C:\Windows\System32\cmd.exe
PID 2368 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2368 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2368 wrote to memory of 1564 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 2368 wrote to memory of 1564 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 1564 wrote to memory of 3708 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 1564 wrote to memory of 3708 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 1564 wrote to memory of 4908 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 1564 wrote to memory of 4908 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 3708 wrote to memory of 1420 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 3708 wrote to memory of 1420 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 1420 wrote to memory of 4188 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 1420 wrote to memory of 4188 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 1420 wrote to memory of 4672 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 1420 wrote to memory of 4672 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 4188 wrote to memory of 2056 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 4188 wrote to memory of 2056 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 2056 wrote to memory of 4516 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 2056 wrote to memory of 4516 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 2056 wrote to memory of 4112 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 2056 wrote to memory of 4112 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 4516 wrote to memory of 4952 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 4516 wrote to memory of 4952 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 4952 wrote to memory of 4496 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 4952 wrote to memory of 4496 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 4952 wrote to memory of 996 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 4952 wrote to memory of 996 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 4496 wrote to memory of 5112 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 4496 wrote to memory of 5112 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 5112 wrote to memory of 1748 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 5112 wrote to memory of 1748 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 5112 wrote to memory of 4320 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 5112 wrote to memory of 4320 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 1748 wrote to memory of 4284 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 1748 wrote to memory of 4284 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 4284 wrote to memory of 4752 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 4284 wrote to memory of 4752 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 4284 wrote to memory of 3940 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 4284 wrote to memory of 3940 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 4752 wrote to memory of 2084 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 4752 wrote to memory of 2084 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 2084 wrote to memory of 4952 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 2084 wrote to memory of 4952 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 2084 wrote to memory of 3616 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 2084 wrote to memory of 3616 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 4952 wrote to memory of 3016 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 4952 wrote to memory of 3016 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 3016 wrote to memory of 4024 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 3016 wrote to memory of 4024 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 3016 wrote to memory of 1116 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 3016 wrote to memory of 1116 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 4024 wrote to memory of 4892 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 4024 wrote to memory of 4892 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 4892 wrote to memory of 2772 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 4892 wrote to memory of 2772 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 4892 wrote to memory of 1488 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 4892 wrote to memory of 1488 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 2772 wrote to memory of 1604 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 2772 wrote to memory of 1604 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Media Player\msedge.exe
PID 1604 wrote to memory of 968 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 1604 wrote to memory of 968 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 1604 wrote to memory of 4204 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe
PID 1604 wrote to memory of 4204 N/A C:\Program Files (x86)\Windows Media Player\msedge.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Media Player\msedge.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe

"C:\Users\Admin\AppData\Local\Temp\76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\msedge.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daHDUzbFiW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\msedge.exe

"C:\Program Files (x86)\Windows Media Player\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d95bf8dc-6f78-414e-af85-5782b014d522.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b334a464-7712-4e41-a47b-7a3fb1469e2f.vbs"

C:\Program Files (x86)\Windows Media Player\msedge.exe

"C:\Program Files (x86)\Windows Media Player\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ddff63a-96c4-423e-8e11-bd1fb456d45c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25f24fa2-abe2-41e5-9f54-726c6a93d15e.vbs"

C:\Program Files (x86)\Windows Media Player\msedge.exe

"C:\Program Files (x86)\Windows Media Player\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a96b9364-3271-4da5-acfd-9419014aec2c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bff91ab-ca84-467b-84a1-3f3d0aaf6228.vbs"

C:\Program Files (x86)\Windows Media Player\msedge.exe

"C:\Program Files (x86)\Windows Media Player\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa454051-4c15-4489-b106-e0900d326266.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10f792aa-7a8a-4cd1-9406-d51a36310702.vbs"

C:\Program Files (x86)\Windows Media Player\msedge.exe

"C:\Program Files (x86)\Windows Media Player\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6556fce-a07c-452c-9e39-167b07875447.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\423e5927-c335-49c6-abbd-4e1f14fcdb8f.vbs"

C:\Program Files (x86)\Windows Media Player\msedge.exe

"C:\Program Files (x86)\Windows Media Player\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dbbf49f-abe7-4c68-ac93-9c3f8e05af8e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fef1bdd-a19b-4bd4-86ad-97ea2ead93d8.vbs"

C:\Program Files (x86)\Windows Media Player\msedge.exe

"C:\Program Files (x86)\Windows Media Player\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e25f7065-65ef-45bd-aaee-d7d020edbea8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb2d8064-4120-4c13-b187-0c89f2a290e3.vbs"

C:\Program Files (x86)\Windows Media Player\msedge.exe

"C:\Program Files (x86)\Windows Media Player\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cef22c8b-60a8-4541-8053-f584a8a2c1d7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c49b91c-6a36-4fff-bc48-85918f8f7722.vbs"

C:\Program Files (x86)\Windows Media Player\msedge.exe

"C:\Program Files (x86)\Windows Media Player\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2098aae2-92de-4040-8c38-742964ff4233.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dfd06d1-1803-4d85-a405-6fd57ce22bc2.vbs"

C:\Program Files (x86)\Windows Media Player\msedge.exe

"C:\Program Files (x86)\Windows Media Player\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75e8bad2-1e5e-437e-a56c-5be65d44f1fe.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35e63d58-0d32-4cef-85a2-aa631c028785.vbs"

C:\Program Files (x86)\Windows Media Player\msedge.exe

"C:\Program Files (x86)\Windows Media Player\msedge.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1879c4a3-281d-4636-85b7-40c0a01f2982.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5552a819-8f9d-4823-92d0-b24bf605511d.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 a0996219.xsph.ru udp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 58.192.8.141.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp
US 104.20.4.235:443 pastebin.com tcp
RU 141.8.192.58:80 a0996219.xsph.ru tcp

Files

memory/4028-0-0x00007FF894143000-0x00007FF894145000-memory.dmp

memory/4028-1-0x0000000000E30000-0x0000000000FF0000-memory.dmp

memory/4028-2-0x00007FF894140000-0x00007FF894C01000-memory.dmp

memory/4028-3-0x000000001BBF0000-0x000000001BBFE000-memory.dmp

memory/4028-4-0x000000001BC00000-0x000000001BC1C000-memory.dmp

memory/4028-7-0x000000001BC40000-0x000000001BC52000-memory.dmp

memory/4028-6-0x000000001BC20000-0x000000001BC36000-memory.dmp

memory/4028-5-0x000000001C2B0000-0x000000001C300000-memory.dmp

memory/4028-8-0x000000001C280000-0x000000001C290000-memory.dmp

memory/4028-9-0x000000001C260000-0x000000001C26A000-memory.dmp

memory/4028-10-0x000000001BA40000-0x000000001BA4C000-memory.dmp

memory/4028-12-0x000000001BA60000-0x000000001BA6C000-memory.dmp

memory/4028-11-0x000000001BA50000-0x000000001BA58000-memory.dmp

memory/4028-13-0x000000001BA70000-0x000000001BA7C000-memory.dmp

memory/4028-15-0x000000001C290000-0x000000001C29A000-memory.dmp

memory/4028-17-0x000000001C600000-0x000000001C60C000-memory.dmp

memory/4028-16-0x000000001C2A0000-0x000000001C2AE000-memory.dmp

memory/4028-14-0x000000001C270000-0x000000001C278000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\daHDUzbFiW.bat

MD5 90910c14082df21ebd22bcf341f02cfd
SHA1 e2e593b32cded454dfba5340a0ec030c8f2e8557
SHA256 8381a8650bc0802af6e490263f0d19f7b089b066517862d68ac65377baf8d712
SHA512 b53c7929c4d2726e02d989aca3d8430eb83740e60d501b0ac2fe00cd3f0636bd30205df7f55f0c9aba9a5031f6889eef4a20b5f27dc0d691461629e68de31912

memory/4028-28-0x00007FF894140000-0x00007FF894C01000-memory.dmp

C:\Program Files (x86)\Windows Media Player\msedge.exe

MD5 3fee7ded96ac1d470212d26fccc60898
SHA1 e2c6d4561548dab022de28002fdee09daf90eae6
SHA256 76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d
SHA512 4bbbab7f897295df7ad67ccaf9362557ece7ce352716cad8a7529ab7824b01732a9dcadf96954611c1c6628e1c0d3c59787daf243172bf1b5f12a6e6e9278ea0

memory/1564-32-0x0000000002E80000-0x0000000002E92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b334a464-7712-4e41-a47b-7a3fb1469e2f.vbs

MD5 873be84fbb49e002a98a2a1abd3fd67a
SHA1 b443d901bde62531949c6264ef7170ab9840c95c
SHA256 32694b10bd9e88ec49fd108cfb7745d58b26124678f9e29f3f3febc46d69d8ea
SHA512 1d90d8b24f79f330d40db8aaff74cb3d9d490e95a98516d795e32d5b07ffd4ec7c75b37bc0213a1ca38e33b9fdb9580aafabbd75e3bc71f4d467d47c1177e97a

C:\Users\Admin\AppData\Local\Temp\d95bf8dc-6f78-414e-af85-5782b014d522.vbs

MD5 a88ed6d4f8625d85d7626c55e1d2d17a
SHA1 9121a0911b93863dd47643452d6b2cae0af8b14d
SHA256 640e99a75e3f8a9c02f1d314899b5e2c098cacbc9ebf1ed6d3225257538eaf75
SHA512 7dfe2f459529c3d56d11342547a9930f096e8ccdd58d8e0b1d60ef856588bf87b27b7122d9cdf82c598ea2100d67fbd80df868670359a80a737dfecc057e4f9a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

MD5 9b0256da3bf9a5303141361b3da59823
SHA1 d73f34951777136c444eb2c98394f62912ebcdac
SHA256 96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e
SHA512 9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

C:\Users\Admin\AppData\Local\Temp\4ddff63a-96c4-423e-8e11-bd1fb456d45c.vbs

MD5 8af5d159d0869c41925a9a05767a9d2e
SHA1 7e289193fc9a96ebc2c021ca096f211b31070ce5
SHA256 8681e1974b2bf43651196b3894b2289577345c9bd2d2f7ac8c5d05f1d6499260
SHA512 d717c64ccbaf24c80c869b6f0bc8c5cc5cdcdce4dbc5d2a2152e6ad862f059f07c2a346f572400ac7738b7195b6784d9949a973925cdeb8cbb85dbfb7a2a6bf2

memory/2056-56-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a96b9364-3271-4da5-acfd-9419014aec2c.vbs

MD5 aa2931c70fb9818f8de832c7bdb6e7d8
SHA1 7630553c33489e4cf4fc14fb4843168bd7f4babc
SHA256 fe79ffe98e49146aebdf1a35be542694ef2368b545cbf5eb7fb19b216dd561b4
SHA512 9779b8ab1f32ae494b49f5a581716f2c4c1d9125058d29a2d3e1da5d67e3f24e7252a58f053f7c77a04a2961c3155abcbf764fbb6c378a3351ed49e5c78c56d0

C:\Users\Admin\AppData\Local\Temp\fa454051-4c15-4489-b106-e0900d326266.vbs

MD5 8585532cd60ae6529989b3aae69593f3
SHA1 21a706c93dc0b202366c40e70d2071c938a9ecc4
SHA256 f7be8754657ac8982581e5f569b5681d3f148f3fea96a2a83c9a99dc5c64f728
SHA512 f216e75a6b2d16039ea8283825e10383cca5a8028e4edbd1a2b5248767ef66de2504611a45367595c9fb37b7b907b77ddd7cf95e27f402cffd592ca215606d20

memory/5112-79-0x00000000012C0000-0x00000000012D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c6556fce-a07c-452c-9e39-167b07875447.vbs

MD5 14f857fbb554a713052f2a9577a17df3
SHA1 b4cc445945dfa4cc17329afccce762d533433893
SHA256 49caf57496292fc79cc35381871cca33cb60245339e44811d5772e7e0e33f965
SHA512 e0d0d87b3e15e9badbd81899c7a62b01dc1d0405c674b4dd523782336133669a132c24861b20db1d330871ad5978e1908fab1715d580cacfaffc9437ae1f1463

memory/4284-91-0x0000000001710000-0x0000000001722000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6dbbf49f-abe7-4c68-ac93-9c3f8e05af8e.vbs

MD5 197731de0845980b9b92df2eb4aa6f0b
SHA1 45bd87dae5b6c2bb9ae996f20b5fd35b90a55b87
SHA256 9054f0a8ba34d34be858222b2ad93d6dccb0f70a233c2edb2a461f81e2fcf7e2
SHA512 2a96cc295341f9eb8f3c1ab9f1f12d6b78d79d8088b6ca1bcb374472bd919ce8e182441cfaf9965910458b1a922d690988b71ed8179576a9cf497b422c8debe1

memory/2084-103-0x00000000016E0000-0x00000000016F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e25f7065-65ef-45bd-aaee-d7d020edbea8.vbs

MD5 bb160409fd28ec90cc82c64c0dcc4b4e
SHA1 961ea1468498b0e777f8cc2ae7f25355457d00bd
SHA256 1572678f6cb68e2270cb4a45d19cde73e23a6f8f8a63f1596c8bf70b66d2c61d
SHA512 56d8a5a2f73f7ca9b67b75a11e6a8f956b958c97585ab7cdd69929cddb2df3335fd524af893246896aca45e5762013f992c8f47f46561f9bb07b5fdfb649267c

C:\Users\Admin\AppData\Local\Temp\cef22c8b-60a8-4541-8053-f584a8a2c1d7.vbs

MD5 091cff738e6d48a1d7527a85805fc3ee
SHA1 ebf3b3696354b0c55b4f3335a3636886986f42cf
SHA256 200d6656f6887dce6df6b68211a26166668f959fe8dd529b136644fa27dd4634
SHA512 2cec7a27c457af0e6ecfa5202a07aa53d375d7837d5146f68868f4743abd2bb3cdca932d07137f4ea8e84fc67321c83daad44b421f5a71e6a6786c7106e0de5d

memory/4892-126-0x000000001B580000-0x000000001B592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2098aae2-92de-4040-8c38-742964ff4233.vbs

MD5 449cba984c7485f57a7cbc9210a26a6c
SHA1 c91c390845d60f209c7b6b0be7d6de1af7ae13f2
SHA256 51ee608486214f12cb7b2e34f17c695cbde7a5c23f7d47acf204e4896df99689
SHA512 63b29f0725a3eebbd98fa224fced8e8e154aa0f1aa17905ef50dff8f99423dec73e99b78838502e9863c439732768f94038beaf26ee10fc89b3064e03411c49a

C:\Users\Admin\AppData\Local\Temp\75e8bad2-1e5e-437e-a56c-5be65d44f1fe.vbs

MD5 f82d11c0fce7ba942f3378a467804863
SHA1 52bd523ca17e8c3448fca5b2da436d1afe8dc350
SHA256 1f3091863f6c7e897d6f865a8be438ac714bf93abbedcc6d3d3abf6136b0ac10
SHA512 46778d7610b8939bf44c5e4b6b2dabdc7d96e45c35733a5fcde8ea60ed18a8e8c4ddb6617803a9f95550fed4ad674105366e447549b0143b57150afa546465e6

C:\Users\Admin\AppData\Local\Temp\1879c4a3-281d-4636-85b7-40c0a01f2982.vbs

MD5 121ce5d13f86995feda2e3479e9bff0c
SHA1 4acf884749d2ca1bd6693b0914e0e352f8768d38
SHA256 7ab7b1d4e9d02280b7ba4fc457b1fc5ee0fb82416af741e1ef438276cc91fd62
SHA512 4ccdeb431f931dd20a1d1f4120475aec2693e84d62ed2f4b14b7442ec48e2f5845fa371fbd21d7aa7f388ed2e7889af5d47cf994de432d0321776eaa273fc12e