Malware Analysis Report

2024-10-10 13:02

Sample ID 240618-wxjywstend
Target b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe
SHA256 b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2

Threat Level: Known bad

The file b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

DcRat

UAC bypass

DCRat payload

Dcrat family

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 18:17

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 18:17

Reported

2024-06-18 18:20

Platform

win7-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Common Files\Services\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Common Files\Services\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Common Files\Services\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Common Files\Services\sppsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Office\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files\Common Files\Services\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\RCX264B.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\RCX2A64.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\smss.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\Common Files\Services\RCX368D.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\RCX3BB0.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files (x86)\Microsoft Office\cbc4d2449b9571 C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\winlogon.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX2C69.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\RCX2A63.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX2C68.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\RCX3488.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\Common Files\Services\RCX36FB.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files (x86)\Common Files\SpeechEngines\smss.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\RCX3489.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files (x86)\Common Files\SpeechEngines\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\RCX25DC.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\winlogon.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\RCX3C1E.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\Common Files\Services\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files\Common Files\Services\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Common Files\Services\sppsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Services\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Services\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Services\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Services\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Services\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Services\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Services\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Services\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Services\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Services\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Services\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Services\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Program Files\Common Files\Services\sppsvc.exe
PID 1992 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Program Files\Common Files\Services\sppsvc.exe
PID 1992 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Program Files\Common Files\Services\sppsvc.exe
PID 1992 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Program Files\Common Files\Services\sppsvc.exe
PID 1992 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Program Files\Common Files\Services\sppsvc.exe
PID 1640 wrote to memory of 868 N/A C:\Program Files\Common Files\Services\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1640 wrote to memory of 868 N/A C:\Program Files\Common Files\Services\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1640 wrote to memory of 868 N/A C:\Program Files\Common Files\Services\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1640 wrote to memory of 2176 N/A C:\Program Files\Common Files\Services\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1640 wrote to memory of 2176 N/A C:\Program Files\Common Files\Services\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1640 wrote to memory of 2176 N/A C:\Program Files\Common Files\Services\sppsvc.exe C:\Windows\System32\WScript.exe
PID 868 wrote to memory of 2796 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\Services\sppsvc.exe
PID 868 wrote to memory of 2796 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\Services\sppsvc.exe
PID 868 wrote to memory of 2796 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\Services\sppsvc.exe
PID 868 wrote to memory of 2796 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\Services\sppsvc.exe
PID 868 wrote to memory of 2796 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\Services\sppsvc.exe
PID 2796 wrote to memory of 2084 N/A C:\Program Files\Common Files\Services\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2796 wrote to memory of 2084 N/A C:\Program Files\Common Files\Services\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2796 wrote to memory of 2084 N/A C:\Program Files\Common Files\Services\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2796 wrote to memory of 1492 N/A C:\Program Files\Common Files\Services\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2796 wrote to memory of 1492 N/A C:\Program Files\Common Files\Services\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2796 wrote to memory of 1492 N/A C:\Program Files\Common Files\Services\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2084 wrote to memory of 1012 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\Services\sppsvc.exe
PID 2084 wrote to memory of 1012 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\Services\sppsvc.exe
PID 2084 wrote to memory of 1012 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\Services\sppsvc.exe
PID 2084 wrote to memory of 1012 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\Services\sppsvc.exe
PID 2084 wrote to memory of 1012 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\Services\sppsvc.exe
PID 1012 wrote to memory of 3064 N/A C:\Program Files\Common Files\Services\sppsvc.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\Services\sppsvc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe

"C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2b" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2b" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Contacts\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Contacts\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Program Files\Common Files\Services\sppsvc.exe

"C:\Program Files\Common Files\Services\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86e568a4-ad37-41f6-8552-8420b1330576.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40804348-ef62-40d1-8c16-5ecbfed4f0be.vbs"

C:\Program Files\Common Files\Services\sppsvc.exe

"C:\Program Files\Common Files\Services\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5337bc51-0ea1-412a-b26f-e76cdf813355.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ecccb58-9b47-438f-a2a6-7f52a28ec94d.vbs"

C:\Program Files\Common Files\Services\sppsvc.exe

"C:\Program Files\Common Files\Services\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02d07f89-e6d4-49ad-951c-aaf62ebf3cc5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09f22ced-346c-4bd0-a754-0eb4b5e43e49.vbs"

C:\Program Files\Common Files\Services\sppsvc.exe

"C:\Program Files\Common Files\Services\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe70433b-6e47-4b74-917d-6b2f85682990.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccbb3801-0e8f-4510-a48f-5b5a05023998.vbs"

C:\Program Files\Common Files\Services\sppsvc.exe

"C:\Program Files\Common Files\Services\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\837edd82-df0d-4766-8df4-23ca7b96970c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ca29be8-e28b-4b5e-bd01-302927ffa7be.vbs"

C:\Program Files\Common Files\Services\sppsvc.exe

"C:\Program Files\Common Files\Services\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\433c551e-1ca2-45f8-a317-344ae86992fb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e94d347e-bbcb-4f0b-b014-2ffd85246169.vbs"

C:\Program Files\Common Files\Services\sppsvc.exe

"C:\Program Files\Common Files\Services\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\167bab60-e487-43d9-9d05-ce233582702c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0fdb3f9-16c1-4eed-a8c9-70b39f7e8585.vbs"

C:\Program Files\Common Files\Services\sppsvc.exe

"C:\Program Files\Common Files\Services\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f46a3e2-6f0b-4723-9b75-0f600bbeee2c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ff88ef9-7d26-4ff2-ac15-e89b151fd7bf.vbs"

C:\Program Files\Common Files\Services\sppsvc.exe

"C:\Program Files\Common Files\Services\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fce6eb6-37ad-4205-8ee6-7d6e27da3c85.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4fdbef3-a7a6-4d46-8934-58f4c7348002.vbs"

C:\Program Files\Common Files\Services\sppsvc.exe

"C:\Program Files\Common Files\Services\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9920ef4f-f466-43c9-a916-5abe215fb81c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2de64105-8591-448b-a6a1-56fcd77cfc19.vbs"

C:\Program Files\Common Files\Services\sppsvc.exe

"C:\Program Files\Common Files\Services\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8a89456-2d56-43f9-89d7-62402c5222e5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb0d3452-a6dc-4e2f-892e-201dcd966f58.vbs"

C:\Program Files\Common Files\Services\sppsvc.exe

"C:\Program Files\Common Files\Services\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7f4fccc-5683-48ae-92fd-82315336bfd4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5356534e-d15a-4101-ab67-50fad1c00a2d.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0986195.xsph.ru udp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp

Files

memory/1992-0-0x000007FEF5643000-0x000007FEF5644000-memory.dmp

memory/1992-1-0x0000000000CA0000-0x0000000000F9E000-memory.dmp

memory/1992-2-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

memory/1992-3-0x0000000000340000-0x0000000000348000-memory.dmp

memory/1992-4-0x0000000000350000-0x000000000036C000-memory.dmp

memory/1992-5-0x0000000000370000-0x0000000000378000-memory.dmp

memory/1992-6-0x0000000000500000-0x0000000000510000-memory.dmp

memory/1992-7-0x0000000000510000-0x0000000000526000-memory.dmp

memory/1992-8-0x0000000000530000-0x0000000000538000-memory.dmp

memory/1992-9-0x0000000000C20000-0x0000000000C30000-memory.dmp

memory/1992-10-0x00000000005C0000-0x00000000005CA000-memory.dmp

memory/1992-11-0x0000000000C30000-0x0000000000C86000-memory.dmp

memory/1992-12-0x0000000000C10000-0x0000000000C1C000-memory.dmp

memory/1992-13-0x0000000000C80000-0x0000000000C88000-memory.dmp

memory/1992-14-0x0000000000C90000-0x0000000000C9C000-memory.dmp

memory/1992-15-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/1992-16-0x00000000023D0000-0x00000000023DC000-memory.dmp

memory/1992-17-0x00000000023E0000-0x00000000023E8000-memory.dmp

memory/1992-18-0x00000000023F0000-0x00000000023FC000-memory.dmp

memory/1992-19-0x0000000002400000-0x000000000240C000-memory.dmp

memory/1992-20-0x0000000002540000-0x0000000002548000-memory.dmp

memory/1992-21-0x0000000002510000-0x000000000251A000-memory.dmp

memory/1992-22-0x0000000002520000-0x000000000252E000-memory.dmp

memory/1992-23-0x0000000002530000-0x0000000002538000-memory.dmp

memory/1992-24-0x0000000002550000-0x000000000255C000-memory.dmp

memory/1992-25-0x0000000002560000-0x0000000002568000-memory.dmp

memory/1992-26-0x000000001A970000-0x000000001A97A000-memory.dmp

memory/1992-27-0x000000001A9C0000-0x000000001A9CC000-memory.dmp

memory/1992-30-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe

MD5 1c56f7e7eddc792f68ac6f3cab2a4681
SHA1 ec7d386f705bec9d369afc8a01cfcbfb36f7518d
SHA256 b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2
SHA512 2adaaa4d4a506958541f8de3448d13a014da7f00124f8844b9ebd43af8d82834ee549a08fe4685fdd7865890139b2a718c737f8ac4b1520f0db8fa6e5dbfde8e

C:\Program Files (x86)\Microsoft Office\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe

MD5 99c10046267feaca961e32ba05718405
SHA1 81a7994f0ac88063c67e885bdb55d507e653f3dd
SHA256 aecd4c8b0c3a70058a8e4e4e7acaf4d921daccfaecd176dff738407834bf7839
SHA512 586bc4ad8da93c0d4907dec719a2ac479a469f981d07d077b393b930444b2c9d6aca9c703813eb526c89c7aa1548c31973595887ad97c22f327c934f4c69e934

C:\Program Files\Common Files\Services\sppsvc.exe

MD5 05acd3ffbc3e143d05da45e51d9b3a11
SHA1 c17b67891be1a64d6effd6bbbc8edff52f22b2e8
SHA256 cfaaf2e7904e804e163e818085742a6e7cbd532878a8b479b971119a6638ae1d
SHA512 2fe2a69370d656d09153b02aaa8bcc6df587e48ac20b403d81492ecba0117803b8dfad613ceceec72b60339513f3e02189117a60d325fc8eef508e6937e79cd3

C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe

MD5 b4ff4e929a20f6a4098530b91764eccd
SHA1 d68630f5e9ce99450883a1910e5f39b2eed47f4f
SHA256 9a2b1873c81b20e9504c26f6ceec7c18e736604acac8ef8602a41b256bc098ac
SHA512 52968c6e1f12f958e991ca3160ccd3691c37a098bb40dbea589d7529cbd3d5912e0c6b748ba60adfb10a6ab785c286e6a8b409f325900f551a7685f76d7ee095

C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe

MD5 3cf29212fdaac2f9780471bb629448cb
SHA1 50e5c4cf0c14270aa62296557bc6606c72a2e1bd
SHA256 616ab1e856f812242e7e2d38942fb82e07ee30dada97a7512dcc545e5175915f
SHA512 ca1c0559b603d7d77f6ec2e37694eb2c27a384d6e8b02787b5199648d0cd4ced912818d35cbdc29edd626074011cd99eb8a8ba70560fc8041b58df8bed25d0de

memory/2936-199-0x000000001B4B0000-0x000000001B792000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d3e5a5db18474f1e9b00c11229d5a3d7
SHA1 5a1dd260b0ef93175d6f7dba5a14508be5b83c9d
SHA256 0ab2db8c524d8300241e561402d1f90e799e6932bf4771714ab043200de9ed06
SHA512 3e33d4f32e19b6823e1f6082174ca23a805dc34b2aa69a263cfd685b5dca5a49e41912198ee240e67002e62ed30ba49f66e03b3dd657d5b2f3ccf8b0944a1de8

memory/2936-201-0x0000000002810000-0x0000000002818000-memory.dmp

memory/1640-206-0x0000000000B10000-0x0000000000E0E000-memory.dmp

memory/1992-232-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

memory/1640-258-0x0000000000AC0000-0x0000000000B16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\86e568a4-ad37-41f6-8552-8420b1330576.vbs

MD5 5db134b0b941a938429e5a46125c3ea0
SHA1 2bffd6c3f1f78b0f266d5b65d5a7f48163594a94
SHA256 89429dfabb847c946194bd811bf5cbc6c3a84a0f5b98c922f9f3a5cc133df38b
SHA512 5b64249a6023504eeb4f84dcc37e73f167bac43a11d8738a31925e770b365e883f8ab1323332045ad3098e61da41412a39efa35ee7f6dbcbf780d2e159def6dd

C:\Users\Admin\AppData\Local\Temp\40804348-ef62-40d1-8c16-5ecbfed4f0be.vbs

MD5 4b01245df8ac09c094d9bf38824c458d
SHA1 2f7b9495998a805cf3ddd0cbad303d27646b888a
SHA256 2488e8523111101546d3979e5b80c5de89d9fd359ebd7d5bc2f0bed60c4b1f40
SHA512 73ea139a7c820669848e235a371105432eeffc8ff4f28ad50eb798963699f3ee6607aef54a4361c7d8b3ae1dcdda7883c42118f7edf499a00d712188135ad201

memory/2796-269-0x00000000000F0000-0x00000000003EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5337bc51-0ea1-412a-b26f-e76cdf813355.vbs

MD5 dbbe614b1e774feb0dbc545bd13e7e0d
SHA1 6645aeb4513e2fcd38050e653c1e18124681936b
SHA256 6fe19c05cf34c61a2e21164bfe6fa86249960d96c04fc3ddaee2b53d8d49e9b9
SHA512 939f9cc21d47f4c22089b189262b48d1988625617219ba8cbfeecf12deaf6b7354db995627c2993254b05b2ae6383c8cba3a961993c7c1b4070653391306b0a7

memory/1012-281-0x0000000000100000-0x00000000003FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\02d07f89-e6d4-49ad-951c-aaf62ebf3cc5.vbs

MD5 4da17767cda42152a4492a58b33d1ecb
SHA1 5f48f46b38742dc2807bc0a05dcd7a280bebeccf
SHA256 5e4631a82cfdecaa8aed995b7f5cbb57d8e1b79997b646c74a2f51cd97e8bde7
SHA512 76e5b2f3b6c0fef0fd074fa78cd24585b7539fcf93940d40c9dadec7c28ab06d586995155692e25cfcd5d15641f6501eeba5199d393c99112a23a75617d26dce

memory/2856-293-0x0000000000B20000-0x0000000000E1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fe70433b-6e47-4b74-917d-6b2f85682990.vbs

MD5 5d93b9df1f87c53ba326173617aa4188
SHA1 f25b9f10dcb6ba1fe43c62339a5194a1d346530e
SHA256 e8f588ee564b6bed37ad04395572718fc6cac00fac089cc0c8c6f6fa62f59cba
SHA512 b4dcffa384a7e199119bcc73a533941b824ed2f532d17b3c895c92943bd229b1a9e49b2501f8e0caf9902d0c7b3ac56600bdab3f0382550082a738f9aed99df1

memory/2272-305-0x0000000000040000-0x000000000033E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\837edd82-df0d-4766-8df4-23ca7b96970c.vbs

MD5 91aa435f61cc1c1b786f22c5cdeadf7d
SHA1 e23b0c11958ecd256cf06cd04e0989524f14c8de
SHA256 3656f53279b5ada084cfd9fbe036773b8f7495a58fa6f1c459a291191c9f271d
SHA512 55ea2411bf089bf7a96b53f15d1c53cb997c7feefb3a927b510788c64eb05bca384858793ccded921e82f6f0c2c7ceea5cad073e61641c7fd229d1f238ef4d5f

memory/1956-317-0x00000000010A0000-0x000000000139E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\433c551e-1ca2-45f8-a317-344ae86992fb.vbs

MD5 757f7e9f8a86d8635a46524466606782
SHA1 0695a2b543bda1b79bf750046b27c3a7b2d82e95
SHA256 451561c761c6c82bbe81017c9151aa9fa25e95cdabc778a743b16295b6c6f058
SHA512 17fe55f931940ff0d1819e8704736170d18312105e3a39bdff895ae1a948acb13f4f5762c3e5f9568cde37f656bb319304583b4010a754f83f938d824db96fb7

C:\Users\Admin\AppData\Local\Temp\167bab60-e487-43d9-9d05-ce233582702c.vbs

MD5 ea11b3b12727570e8ed1bc90d5fa51e2
SHA1 529b31747e15786e89ee4e6650fcd35fe47bbda6
SHA256 76e498a0b4895a422f46e144026f6e9985765ce8d1ba7da090f6cb3b467ac5c3
SHA512 b74c4aeeaabc47244404210e7fbf8615da4433a20e00957974c2459bc685da219478e1e74340793dcc3622e1e44ef7aa1c64068df025dcffb3940213c7e5cdb0

memory/1740-340-0x0000000000170000-0x000000000046E000-memory.dmp

memory/1740-341-0x000000001ACF0000-0x000000001AD02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8f46a3e2-6f0b-4723-9b75-0f600bbeee2c.vbs

MD5 fafdfea08710920c68f54c1589ca2549
SHA1 93c30873087adbca6d0487bf0388a738ccde5846
SHA256 fe7bbbfa0eae65f72654d935c26e9e5e2d3510f1f7439aed3f9c6d8fa8ce0710
SHA512 52a9c43c04dae6e1014f3ccd02762b506bdaaeb3e748f8942cdea0d614273d3cd1587a962fa510c580aa197b721a6e64ec4e417232fffd33e9a320b204180571

memory/1608-353-0x0000000000200000-0x00000000004FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6fce6eb6-37ad-4205-8ee6-7d6e27da3c85.vbs

MD5 80acb74d12651cfa9d23caa8506e4a9e
SHA1 6111821192ff4c10184fa638b3d242c666494528
SHA256 af2199efd5fa278c80794b547a7266c94a88e564611fb773a9ed0f327e00d002
SHA512 77043a57165114b568db435bd6df086e34fb5e2a0daaba573848fc6fce9bf2b21be4b0e6f6bcd50d9f559571272f52ed545c607991cbc679ecad05105f7f2884

memory/1948-365-0x0000000000AA0000-0x0000000000D9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9920ef4f-f466-43c9-a916-5abe215fb81c.vbs

MD5 080b9d4956da38cd8dd5ac641185512d
SHA1 29ce99c2f9f3a66c6a30ddf9f2fd228f1b1dfb57
SHA256 9ba3eec2024b28143c952ae09aa81c310b549d74fbd4e51b6bd2513de2bbef66
SHA512 9ccd784d8ba82c49274f5b3abfc63d2e198489e15ce6ecfad631c16fbc543de8da4ad9c79993e6abc0ab7b908b7ed214d3175a91db54d91b6717755ba40a1060

memory/1532-377-0x0000000002210000-0x0000000002222000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e8a89456-2d56-43f9-89d7-62402c5222e5.vbs

MD5 a76dbcd97a063c9866d96350d373a2a1
SHA1 10e17539edcf2e8e6bea49abf3aeffcc59d8a97a
SHA256 96e7fd84ed1fdfa6b06b23e7d1bd0c51c3ce862d84777a4a17e0b7063f9324bb
SHA512 7e23577368668ab43b9b209d660e7c49dec9c010d201342c19398a1110c5f4097982b133279463e38eadcd4d5debb770d10279f869bed5cbac20a373c14fe5c0

memory/2628-389-0x0000000000210000-0x000000000050E000-memory.dmp

memory/2628-390-0x0000000000980000-0x00000000009D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d7f4fccc-5683-48ae-92fd-82315336bfd4.vbs

MD5 577741a0e9cf1e843cf578255015cd72
SHA1 3dc402e66e60c86e9e3ab0b992774b7a4967f0d6
SHA256 d4cc134388cbd65cddd0c5ca970d7ec89a24fea9089602c3bb1b62ba8d1c88ee
SHA512 8e5ff254fa2deb9bef837c1d7e907d543b258423c5b69627ac38454c16d20d9f6b8c3fbe153cc362d024a579506c41895897bb892250196d7cf9342e64f57420

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 18:17

Reported

2024-06-18 18:20

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\Microsoft\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\RCX410A.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\winlogon.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\attachments\RCX49EB.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files\Windows Multimedia Platform\explorer.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCX3528.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCX3529.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\attachments\RCX4A69.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\winlogon.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files\MsEdgeCrashpad\attachments\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\explorer.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\RCX5164.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\attachments\services.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\RCX5165.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files\Windows Multimedia Platform\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files\MsEdgeCrashpad\attachments\services.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files\WindowsApps\sysmon.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Program Files\Microsoft Office\Office16\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\RCX410B.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Performance\RCX3C72.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Windows\Performance\RCX3C73.tmp C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File opened for modification C:\Windows\Performance\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Windows\Performance\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Windows\Performance\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Windows\Speech\Common\es-ES\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
File created C:\Windows\ImmersiveControlPanel\uk-UA\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\cmd.exe
PID 2308 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe C:\Windows\System32\cmd.exe
PID 1704 wrote to memory of 5436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1704 wrote to memory of 5436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1704 wrote to memory of 5776 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe
PID 1704 wrote to memory of 5776 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe
PID 5776 wrote to memory of 5960 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5776 wrote to memory of 5960 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5776 wrote to memory of 6004 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5776 wrote to memory of 6004 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5960 wrote to memory of 4504 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe
PID 5960 wrote to memory of 4504 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe
PID 4504 wrote to memory of 5308 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4504 wrote to memory of 5308 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4504 wrote to memory of 4656 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4504 wrote to memory of 4656 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5308 wrote to memory of 440 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe
PID 5308 wrote to memory of 440 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe
PID 440 wrote to memory of 4468 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 440 wrote to memory of 4468 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 440 wrote to memory of 1700 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 440 wrote to memory of 1700 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4468 wrote to memory of 5516 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe
PID 4468 wrote to memory of 5516 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe
PID 5516 wrote to memory of 5560 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5516 wrote to memory of 5560 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5516 wrote to memory of 4104 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5516 wrote to memory of 4104 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5560 wrote to memory of 4012 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe
PID 5560 wrote to memory of 4012 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe
PID 4012 wrote to memory of 4212 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4012 wrote to memory of 4212 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4012 wrote to memory of 5656 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4012 wrote to memory of 5656 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4212 wrote to memory of 5764 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe
PID 4212 wrote to memory of 5764 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe
PID 5764 wrote to memory of 5936 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5764 wrote to memory of 5936 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5764 wrote to memory of 5984 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5764 wrote to memory of 5984 N/A C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5936 wrote to memory of 5808 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe
PID 5936 wrote to memory of 5808 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe

"C:\Users\Admin\AppData\Local\Temp\b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default\Links\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Links\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\Performance\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Performance\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\MsEdgeCrashpad\attachments\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\attachments\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\MsEdgeCrashpad\attachments\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O5JqKKmgfc.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,8447163055677043976,7218082390179600880,262144 --variations-seed-version --mojo-platform-channel-handle=3912 /prefetch:8

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe

"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\400192a9-b6ae-44b7-8cfe-0622f5821064.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0b6576b-6bc3-4f13-ad84-22e2f66dd86d.vbs"

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe

"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df224358-d5b9-4be0-adf4-c472b6c6ed99.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79c48563-3184-4428-8f46-03f5f42f68b5.vbs"

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe

"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0425b9d4-48a0-464f-bf20-ad8e671953bd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4173a07a-6a5d-4246-adf5-ddd4a72a3de6.vbs"

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe

"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01329c27-dfd6-49e9-8de4-750f9c528c73.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c160df5-7af8-4065-b288-eb02c85ea84f.vbs"

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe

"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb8b62ea-e9d2-495f-8769-aea07bfea220.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d29b35a3-d960-43cc-bdc8-c8b33da1c800.vbs"

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe

"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45ed993a-64f7-4922-988d-b157db1778ba.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\060a170d-3f6f-472a-9fd0-84e9c7850260.vbs"

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe

"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\105244fc-75c9-4b7b-852b-a3087900a4e2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\816f795f-ce60-4f31-a1e7-e76b07e80d3f.vbs"

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe

"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14bd2c1a-55b3-4fb2-a6a5-0d6cca5bfe01.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\399178c6-9888-4c91-b324-b147f5245fbf.vbs"

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe

"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\516b402c-07d7-4864-8d42-05bcdef7bc00.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff35ad33-fdb2-49a0-b26b-4bc6cf7f0b99.vbs"

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe

"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\451ff042-659f-4221-bcc4-e44419688f19.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16b8cc4e-d8de-4e31-8112-60f7d3c8e13b.vbs"

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe

"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b15d5cc-6bc0-48ae-92b8-958d5aade017.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f5b09c9-6c97-46cb-9d46-7418d1ad8e28.vbs"

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe

"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03619c07-63f4-4575-aac9-63585d536b01.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02df81dd-c52b-4a72-b737-27a8d05767c9.vbs"

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe

"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73d228d2-c94b-4f3e-9b76-d2a6cc430eeb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8694fcd-28fa-45ad-9a19-6f85b023853a.vbs"

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe

"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\669df47f-696b-4097-9b9e-fdcc9d2c7af5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38e463ff-592b-47b3-a63e-cad3cfa4ec3f.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 13.107.42.16:443 tcp
US 8.8.8.8:53 a0986195.xsph.ru udp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp
RU 141.8.192.103:80 a0986195.xsph.ru tcp

Files

memory/2308-0-0x00007FFFA5693000-0x00007FFFA5695000-memory.dmp

memory/2308-1-0x00000000001E0000-0x00000000004DE000-memory.dmp

memory/2308-2-0x00007FFFA5690000-0x00007FFFA6151000-memory.dmp

memory/2308-3-0x0000000002820000-0x0000000002828000-memory.dmp

memory/2308-4-0x0000000002830000-0x000000000284C000-memory.dmp

memory/2308-5-0x000000001B170000-0x000000001B1C0000-memory.dmp

memory/2308-6-0x0000000002850000-0x0000000002858000-memory.dmp

memory/2308-7-0x0000000002860000-0x0000000002870000-memory.dmp

memory/2308-8-0x0000000002870000-0x0000000002886000-memory.dmp

memory/2308-9-0x0000000002890000-0x0000000002898000-memory.dmp

memory/2308-10-0x000000001B8F0000-0x000000001B900000-memory.dmp

memory/2308-11-0x000000001B1C0000-0x000000001B1CA000-memory.dmp

memory/2308-12-0x000000001B7F0000-0x000000001B846000-memory.dmp

memory/2308-13-0x000000001B1D0000-0x000000001B1DC000-memory.dmp

memory/2308-14-0x000000001B840000-0x000000001B848000-memory.dmp

memory/2308-15-0x000000001B850000-0x000000001B85C000-memory.dmp

memory/2308-16-0x000000001B860000-0x000000001B872000-memory.dmp

memory/2308-17-0x000000001BE30000-0x000000001C358000-memory.dmp

memory/2308-18-0x000000001B890000-0x000000001B89C000-memory.dmp

memory/2308-20-0x000000001B8B0000-0x000000001B8BC000-memory.dmp

memory/2308-19-0x000000001B8A0000-0x000000001B8A8000-memory.dmp

memory/2308-21-0x000000001B8C0000-0x000000001B8CC000-memory.dmp

memory/2308-26-0x000000001BB20000-0x000000001BB2C000-memory.dmp

memory/2308-25-0x000000001BB10000-0x000000001BB18000-memory.dmp

memory/2308-24-0x000000001BA00000-0x000000001BA0E000-memory.dmp

memory/2308-23-0x000000001B8E0000-0x000000001B8EA000-memory.dmp

memory/2308-22-0x000000001B8D0000-0x000000001B8D8000-memory.dmp

memory/2308-28-0x00007FFFA5690000-0x00007FFFA6151000-memory.dmp

memory/2308-27-0x000000001BB30000-0x000000001BB38000-memory.dmp

memory/2308-30-0x000000001BB50000-0x000000001BB5C000-memory.dmp

memory/2308-29-0x000000001BB40000-0x000000001BB4A000-memory.dmp

memory/2308-33-0x00007FFFA5690000-0x00007FFFA6151000-memory.dmp

C:\Windows\Performance\SearchApp.exe

MD5 1c56f7e7eddc792f68ac6f3cab2a4681
SHA1 ec7d386f705bec9d369afc8a01cfcbfb36f7518d
SHA256 b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2
SHA512 2adaaa4d4a506958541f8de3448d13a014da7f00124f8844b9ebd43af8d82834ee549a08fe4685fdd7865890139b2a718c737f8ac4b1520f0db8fa6e5dbfde8e

C:\Recovery\WindowsRE\upfc.exe

MD5 841151215f932cb81f9a96c5f5ccd3a4
SHA1 15e9f29437f27bb63b84c59c1000445c657a01c6
SHA256 82cb40c6e03c38b0f22a76fe40df9bed26876649a3adac7dca6a32aa673f4a8d
SHA512 7c7c6547159000ff3f4325abd529812ce697eba0ddf59c34f78c3071e2fc75213023eda221ecaaedf1172e6f27a44dcda081349e87fcdd16e9ad16e9a126f46e

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\winlogon.exe

MD5 43e9de379895ba6983159376a4e87dff
SHA1 34efea1fd1e4844b8f3769b6760a51921e994577
SHA256 d2865f05046be81b521a01a510acd78473b9b45f310b0e69a76c5638c0f87880
SHA512 c4a61b340ca816bfe9209ffeedce4fc555e8efd2f8c30e2187d36488c14cc8764882e63783d60e07f41094c14b3aafea2c51bb97d7f6ccf1b00be3cc3b80bac1

C:\Recovery\WindowsRE\Registry.exe

MD5 ca72b7fc5cae7729044ad19732f388e2
SHA1 830cc03fb8e9660868d2f7377729c74a90c20019
SHA256 d391071a6c590b59998d118ed43f54766357dea6452668a049fc5ce0016534f6
SHA512 36d15bc6e98c1601a623f22d626738b9946c9895b2851c8ee275e4ae2c25fa3825a6a47a74568083263763dbc62a52d56608e4e65c36216b04d58dcea6348c6a

C:\Program Files\MsEdgeCrashpad\attachments\services.exe

MD5 60514ed1f20dfe38209aea4a38f45bd6
SHA1 8244b280b2da11beff343e8ee76ae8f573b58d66
SHA256 89f36be564df760464562f6517a0c4f34ba1ba5fe24bb02f13e0b9ea6affff51
SHA512 9bc6cb7d7fbf89fb6b122d44b6db0577c72e8c21ebc03bc2a12ab0f12150ad8ef3eb94df049c9f7ac642d6692f27de20e9ef6a3a6444f4ec3567d0a5f75529bf

memory/2308-232-0x00007FFFA5690000-0x00007FFFA6151000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h41adb13.xgi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3892-248-0x000001F1F0940000-0x000001F1F0962000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\O5JqKKmgfc.bat

MD5 8bae05f181b57385de85cea885caf925
SHA1 8dd75f26174a4c84d8b5e36c92179b8623257089
SHA256 3d282fd264b0c84c415997c1b3b1f728a313a15a7e8bf1125ebed2234db8b008
SHA512 012b9cad2d72409869a697018bac41d02b90cbcb957e1202be60496df737d1f6576ed03a70af1efc17c981adb00c1601383a2837bd351a35f63c5551433c9c0b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Temp\400192a9-b6ae-44b7-8cfe-0622f5821064.vbs

MD5 9d2a1d613165d82fee97b19369c15295
SHA1 0134419bc60b554589f4312c6ca943f654ea1239
SHA256 379360d29ec719266450a2c572185a9c60e15dcff9514b1747d126c71052cf8e
SHA512 050266416b78851b649d6f6726606ec3de68625ff21777ad63aa1c35af1a9263041ad26d065b311ddf4926fc2c25f97b1d5febb1df7f005d1d28fd844b3684cc

C:\Users\Admin\AppData\Local\Temp\f0b6576b-6bc3-4f13-ad84-22e2f66dd86d.vbs

MD5 baca38678ea730205ea658d3427c2a90
SHA1 d50251d027a0389d95e53347bc276f0ba6d020e8
SHA256 0a4936551d9e9a5bb9fec4eb9e146262058e97862577473575ebaf7a2ce0ae11
SHA512 db8c819141a103319601ce8b9d41e36790c4741cf8610bbf39f36f1d07da39ca2a81de7f220dd052ccbaf51084b22572c60318ba8e14baf6b2d91eae21056be4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\df224358-d5b9-4be0-adf4-c472b6c6ed99.vbs

MD5 d0e949b12602f34c7870fda365ec5995
SHA1 e7f9389f271c308b6f5f464d8daae6c91c1d37ef
SHA256 d5ac2d4c3c349d35759dc07c9c1532f68b0541d5717f9334e5d85cdb75b6bcd4
SHA512 4d78c74db1273cbb7aab80a122896f656f02d1c57b27c088ab4ebadccb6df6a6d8e54518f6b5a71df1c0841b8e0b01ecbddfd031726955bad8a77a51e8584015

C:\Users\Admin\AppData\Local\Temp\0425b9d4-48a0-464f-bf20-ad8e671953bd.vbs

MD5 e15d620353a3f06660369338ddbaadd0
SHA1 011a85c2f0c972afea59f7b49dba60765daf739a
SHA256 971e24e23a7a8361b9d0595dbf34fccd1dcc36bf1469a852213ad1665e8a2491
SHA512 3c12da52e14702cb524390e54ba4b36947a60a94d9f1926d28bb37174016e3e577e6047852d53249da8334716b8d9543cd0669546d3e91696e89984692299989

C:\Users\Admin\AppData\Local\Temp\01329c27-dfd6-49e9-8de4-750f9c528c73.vbs

MD5 b766adc26fa66a5158ed85e84dd95d41
SHA1 8a4883f8535322e4c0bcc739b36841144a2e2354
SHA256 c7a252a27c0b9f7482db1d6830c3afaeafcaaec874654bfb071332e557da23fb
SHA512 202e609480b2c7a694460e5fa89ef8fc8cf8be6641b0d0bd104ff5c7a9db990f38856983243f2f65259be2723a432b5ec9b2e7fbd458623176c81bff9f3baf0b

C:\Users\Admin\AppData\Local\Temp\bb8b62ea-e9d2-495f-8769-aea07bfea220.vbs

MD5 6202dc866ceeca06f7188ad15ce974b9
SHA1 686bd9ac8e0648b51a007f0ba82bc44c1db7ef12
SHA256 3d731e8e149ee2a80a2aebef4655a09605144c2e81827fc21e7e5d0038d75505
SHA512 9c99c6ac8a92d61383a2610f08559c75a416ba42ecdc18688eeda1bc28133f96a30ff4c4b24430bfeee3a93a50470d6fe5ba1a8bd6b42957315172ecd53cd04b

C:\Users\Admin\AppData\Local\Temp\45ed993a-64f7-4922-988d-b157db1778ba.vbs

MD5 f7f577c0701a9eaba738e8c349962baf
SHA1 d85425ca5a12b56edd30d84d1779a87fa95002ea
SHA256 f2d8ef82ec45694537d7c1373cc73f6b5d48413bc906f7c6cbfbe106e4437f1c
SHA512 4ab0ac28f24f65e7da059f1122fbce6c7e5580a3077f494c9a4c6a9de7ad4e061afcc8636fe44f1d7d2fb4aad1095252d1fb9477e20480e49be3a61b1a0f4a88

C:\Users\Admin\AppData\Local\Temp\105244fc-75c9-4b7b-852b-a3087900a4e2.vbs

MD5 83112acc6f4d37841e9af24c1f6d53ce
SHA1 cead0e695e7aa3d0a54f9f491a4fb5f8ecfe2254
SHA256 ad3bf8c61162b760b54f66be7c673f55177f7f32ce464bd03a3024731f483694
SHA512 7663966f8e38f91d5e19208d6f2f4e4f65e76653b80fec77f06f108b16894fb2a250d6e7bca0d881dcca62ed3e2beb07e13921f7b622f049bca8e485ededdd53

C:\Users\Admin\AppData\Local\Temp\14bd2c1a-55b3-4fb2-a6a5-0d6cca5bfe01.vbs

MD5 c54e81f8a99cc51fa2ac9883fcc26a91
SHA1 2dd21b50362e52773a9f0cfb286e4908d46966a3
SHA256 931659cb2d92c8ee2207a3d02d5d7c029922ed3b254044e2eb8796af1220664d
SHA512 e2ed757f72ce526d9eb0b51f2ae7c06e7592bdcfe84c7a362c77ee6733fa1d8fdfca66d8846722af4be2973f9eb0b8c1cf6b0c7bc7b32baa2077434085a14fd2

C:\Users\Admin\AppData\Local\Temp\516b402c-07d7-4864-8d42-05bcdef7bc00.vbs

MD5 26ad547724b0250498d4e0131347faf1
SHA1 a0c86fbc080a1936f8d6f5ba892483a9fad530e0
SHA256 9709b8c5d135f72d70f85cc5d3cb9ba3be0b8ee2f4b210d4ff9b3961770759f6
SHA512 7a4831b15507f61701ebf370ccd42feee129919501a8c92d47c863e2204eaf5908b588da8931f726af183aa117b05587f145a498e4a832094b757b93297cd892

C:\Users\Admin\AppData\Local\Temp\451ff042-659f-4221-bcc4-e44419688f19.vbs

MD5 2d0142dd8f19de7889fd21edad98d62f
SHA1 8b6dc22550beafe00eb49f8de91dd8a06d8784ae
SHA256 9eef0b09093cbac2b97493ed5e21a8593f6bb88b8a29b6a306a394cbd587d36b
SHA512 7b025dc324b037697960e9125ef0d82982de64fe1f2eb2d62dfeb9756721cc3517a67a770df6649ac611f3151eae6e61ae01eb6e4b9a9ce19c8d95d4ae53852a

memory/5516-471-0x000000001D3F0000-0x000000001D402000-memory.dmp

memory/6076-494-0x000000001C9F0000-0x000000001CA02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\73d228d2-c94b-4f3e-9b76-d2a6cc430eeb.vbs

MD5 5c47075814300c20fc9497ce97f9c12f
SHA1 4ada3dcadf155363a5f2de53044d80ad397359af
SHA256 0721a6b4d0c922eed6182cbf49519d2b560e474a1d47b1651e86acefe6fe06b8
SHA512 fe6f58901edfad3b9306540dc25223099fc7413880e6eba9674b545feaf5f7ab290b39b36cdf9dbefe3c0d25de668bf3444b4f20653f991c0d2cd13add494be7