Malware Analysis Report

2024-10-10 13:03

Sample ID 240619-db116ssejc
Target c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad
SHA256 c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad
Tags
rat dcrat evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad

Threat Level: Known bad

The file c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer persistence spyware stealer trojan

DcRat

UAC bypass

Modifies WinLogon for persistence

Dcrat family

DCRat payload

Process spawned unexpected child process

Detects executables packed with SmartAssembly

DCRat payload

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Scheduled Task/Job: Scheduled Task

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 02:50

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 02:50

Reported

2024-06-19 02:53

Platform

win7-20231129-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Windows\\Media\\Calligraphy\\wininit.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\Idle.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Windows\\Media\\Calligraphy\\wininit.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\Idle.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\lsass.exe\", \"C:\\Users\\Public\\Libraries\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Windows\\Media\\Calligraphy\\wininit.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\Idle.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\lsass.exe\", \"C:\\Users\\Public\\Libraries\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Users\\Default\\Templates\\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Windows\\Media\\Calligraphy\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Windows\\Media\\Calligraphy\\wininit.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Windows\\Media\\Calligraphy\\wininit.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Windows\\Media\\Calligraphy\\wininit.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\Idle.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Windows\\Media\\Calligraphy\\wininit.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\Idle.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\lsass.exe\", \"C:\\Users\\Public\\Libraries\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Users\\Default\\Templates\\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Windows\\Media\\Calligraphy\\wininit.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\Idle.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Windows\\Media\\Calligraphy\\wininit.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\Idle.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\lsass.exe\", \"C:\\Users\\Public\\Libraries\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Windows\\Media\\Calligraphy\\wininit.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\Idle.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\lsass.exe\", \"C:\\Users\\Public\\Libraries\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Windows\\Media\\Calligraphy\\wininit.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\Idle.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\lsass.exe\", \"C:\\Users\\Public\\Libraries\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Windows\\Media\\Calligraphy\\wininit.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\Idle.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\lsass.exe\", \"C:\\Users\\Public\\Libraries\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Users\\Default\\Templates\\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Windows\\Media\\Calligraphy\\wininit.exe\", \"C:\\Users\\Default User\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\My Documents\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Windows\\Media\\Calligraphy\\wininit.exe\", \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Documents\\My Videos\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\7-Zip\\Lang\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Media Player\\it-IT\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\My Documents\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default User\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\My Documents\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default User\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Media\\Calligraphy\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad = "\"C:\\Users\\Default\\Templates\\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Media Player\\it-IT\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\7-Zip\\Lang\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Music\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Music\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad = "\"C:\\Users\\Default\\Templates\\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Journal\\it-IT\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Public\\Libraries\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Portable Devices\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Documents\\My Videos\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Public\\Libraries\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Media\\Calligraphy\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\lsm.exe C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\101b941d020240 C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Program Files\Windows NT\Accessories\ja-JP\lsass.exe C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Program Files\7-Zip\Lang\dllhost.exe C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Program Files\Windows Journal\it-IT\winlogon.exe C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Program Files\Windows Journal\it-IT\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Program Files\Windows NT\Accessories\ja-JP\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\explorer.exe C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Media\Calligraphy\wininit.exe C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Windows\Media\Calligraphy\56085415360792 C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe C:\Windows\System32\cmd.exe
PID 1988 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe C:\Windows\System32\cmd.exe
PID 1988 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 2540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2672 wrote to memory of 2540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2672 wrote to memory of 2540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2672 wrote to memory of 2512 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Media Player\it-IT\explorer.exe
PID 2672 wrote to memory of 2512 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Media Player\it-IT\explorer.exe
PID 2672 wrote to memory of 2512 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Media Player\it-IT\explorer.exe
PID 2512 wrote to memory of 1584 N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe C:\Windows\System32\WScript.exe
PID 2512 wrote to memory of 1584 N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe C:\Windows\System32\WScript.exe
PID 2512 wrote to memory of 1584 N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe C:\Windows\System32\WScript.exe
PID 2512 wrote to memory of 1724 N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe C:\Windows\System32\WScript.exe
PID 2512 wrote to memory of 1724 N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe C:\Windows\System32\WScript.exe
PID 2512 wrote to memory of 1724 N/A C:\Program Files\Windows Media Player\it-IT\explorer.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Media Player\it-IT\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe

"C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\it-IT\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\it-IT\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\Calligraphy\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Media\Calligraphy\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Calligraphy\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Videos\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Videos\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Music\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Music\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522adc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Templates\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad" /sc ONLOGON /tr "'C:\Users\Default\Templates\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522adc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\it-IT\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\it-IT\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v3NcBF1hA2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Media Player\it-IT\explorer.exe

"C:\Program Files\Windows Media Player\it-IT\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f41ab278-4231-4628-ba5c-c27a6238e6c9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7614f079-40be-4c89-89c4-bc4d1d88b767.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0992097.xsph.ru udp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp
RU 141.8.192.103:80 a0992097.xsph.ru tcp

Files

memory/1988-0-0x000007FEF5043000-0x000007FEF5044000-memory.dmp

memory/1988-1-0x0000000001020000-0x000000000137A000-memory.dmp

memory/1988-2-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

memory/1988-3-0x0000000000340000-0x000000000034E000-memory.dmp

memory/1988-4-0x0000000000350000-0x0000000000358000-memory.dmp

memory/1988-5-0x0000000000360000-0x000000000037C000-memory.dmp

memory/1988-6-0x0000000000490000-0x0000000000498000-memory.dmp

memory/1988-7-0x00000000004A0000-0x00000000004B0000-memory.dmp

memory/1988-8-0x00000000004B0000-0x00000000004C6000-memory.dmp

memory/1988-9-0x00000000004D0000-0x00000000004D8000-memory.dmp

memory/1988-10-0x0000000000500000-0x0000000000512000-memory.dmp

memory/1988-11-0x00000000004E0000-0x00000000004EC000-memory.dmp

memory/1988-12-0x00000000004F0000-0x00000000004F8000-memory.dmp

memory/1988-13-0x0000000000510000-0x0000000000520000-memory.dmp

memory/1988-14-0x0000000000520000-0x000000000052A000-memory.dmp

memory/1988-15-0x0000000000AD0000-0x0000000000B26000-memory.dmp

memory/1988-16-0x0000000000B20000-0x0000000000B2C000-memory.dmp

memory/1988-17-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

memory/1988-18-0x0000000000C40000-0x0000000000C4C000-memory.dmp

memory/1988-19-0x0000000000C50000-0x0000000000C58000-memory.dmp

memory/1988-20-0x0000000000C60000-0x0000000000C72000-memory.dmp

memory/1988-21-0x0000000000D10000-0x0000000000D1C000-memory.dmp

memory/1988-22-0x0000000000D20000-0x0000000000D2C000-memory.dmp

memory/1988-23-0x0000000000D30000-0x0000000000D38000-memory.dmp

memory/1988-24-0x0000000000D40000-0x0000000000D4C000-memory.dmp

memory/1988-25-0x0000000000D50000-0x0000000000D5C000-memory.dmp

memory/1988-26-0x0000000000F90000-0x0000000000F98000-memory.dmp

memory/1988-27-0x0000000000D60000-0x0000000000D6C000-memory.dmp

memory/1988-29-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

memory/1988-28-0x0000000000F80000-0x0000000000F8A000-memory.dmp

memory/1988-31-0x0000000000FC0000-0x0000000000FCE000-memory.dmp

memory/1988-30-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

memory/1988-32-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

memory/1988-33-0x0000000000FE0000-0x0000000000FEC000-memory.dmp

memory/1988-34-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

memory/1988-35-0x0000000001000000-0x000000000100A000-memory.dmp

memory/1988-36-0x0000000001010000-0x000000000101C000-memory.dmp

C:\Windows\Media\Calligraphy\wininit.exe

MD5 bfa95bec512a100511e4f1e90189594c
SHA1 5491655abcbe56963ff489b8181bacebd2873e07
SHA256 c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad
SHA512 be1f4da54c40d874cd47687e6578b978c2ea45f0ffe31c171db4e8cf67a84aa172844333bb028bd0e042f38f75bafa22522ce6572b6b53472d817a208258212b

C:\Users\Admin\AppData\Local\Temp\v3NcBF1hA2.bat

MD5 f0f3665641ccb17b7ab6f78d85eca6c5
SHA1 6b1dfd3d43374fdaa4346d53072d1b27ad21bfc2
SHA256 ca64dafab91e8595ce45dbd183cf7878784ec8b16545855bf6f623eb4fde85fb
SHA512 19e95a284625ecff956edc0a5920b36f2f81826efa7b1efa716fd30b2e89de8cb54a33f47cccc193589837809e2c00ed5852ce99fe9bc81558fc244caf9c29d8

memory/1988-80-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

memory/2512-83-0x00000000000B0000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f41ab278-4231-4628-ba5c-c27a6238e6c9.vbs

MD5 d4eedf1c7516dbb17b775b2d0c27771e
SHA1 4e86a711cb932c581ef054f65c088e33060dffdf
SHA256 77eb1548474d31ae1e7c1adc0586a16fc9ff372bdf78d34441d3596d4353b6ba
SHA512 b00fbd307a7ccf23a145183ff6a95d850b7e79a1f69c6bcd79ad4ffa5d53b9df5aea8f4106f2ddb6331225c1cce06c478a6744da7eb62b4d6475d53de501eaeb

C:\Users\Admin\AppData\Local\Temp\7614f079-40be-4c89-89c4-bc4d1d88b767.vbs

MD5 6dea0b39f4aabad6778159bf17ced979
SHA1 0c30254fc46c1465adfb24822b990d896a3322a7
SHA256 5db4bcc09644536bc085ca6d2bc6ea08a786f133ef9677681f486c991733890a
SHA512 a498c07f36963f8b68c5e3d75e6823b06d8ae77cfd47e0c4b2a90c72dc2e21c522a0b2e6d9e98c0668da6c425a359f15694150b512b1573cfe00742970a927d3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 02:50

Reported

2024-06-19 02:53

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wininit.exe\", \"C:\\Users\\Default User\\fontdrvhost.exe\", \"C:\\Windows\\security\\database\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\Setup\\State\\smss.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\explorer.exe\", \"C:\\Users\\Public\\Pictures\\wininit.exe\", \"C:\\Users\\Default\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wininit.exe\", \"C:\\Users\\Default User\\fontdrvhost.exe\", \"C:\\Windows\\security\\database\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\Setup\\State\\smss.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\explorer.exe\", \"C:\\Users\\Public\\Pictures\\wininit.exe\", \"C:\\Users\\Default\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\unsecapp.exe\", \"C:\\Users\\Admin\\Links\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wininit.exe\", \"C:\\Users\\Default User\\fontdrvhost.exe\", \"C:\\Windows\\security\\database\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wininit.exe\", \"C:\\Users\\Default User\\fontdrvhost.exe\", \"C:\\Windows\\security\\database\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\Setup\\State\\smss.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wininit.exe\", \"C:\\Users\\Default User\\fontdrvhost.exe\", \"C:\\Windows\\security\\database\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\Setup\\State\\smss.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\explorer.exe\", \"C:\\Users\\Public\\Pictures\\wininit.exe\", \"C:\\Users\\Default\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wininit.exe\", \"C:\\Users\\Default User\\fontdrvhost.exe\", \"C:\\Windows\\security\\database\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wininit.exe\", \"C:\\Users\\Default User\\fontdrvhost.exe\", \"C:\\Windows\\security\\database\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\Setup\\State\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wininit.exe\", \"C:\\Users\\Default User\\fontdrvhost.exe\", \"C:\\Windows\\security\\database\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\Setup\\State\\smss.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wininit.exe\", \"C:\\Users\\Default User\\fontdrvhost.exe\", \"C:\\Windows\\security\\database\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\Setup\\State\\smss.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\explorer.exe\", \"C:\\Users\\Public\\Pictures\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wininit.exe\", \"C:\\Users\\Default User\\fontdrvhost.exe\", \"C:\\Windows\\security\\database\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\Setup\\State\\smss.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\explorer.exe\", \"C:\\Users\\Public\\Pictures\\wininit.exe\", \"C:\\Users\\Default\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\unsecapp.exe\", \"C:\\Users\\Admin\\Links\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\Registration\\CRMLog\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wininit.exe\", \"C:\\Users\\Default User\\fontdrvhost.exe\", \"C:\\Windows\\security\\database\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\Setup\\State\\smss.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\explorer.exe\", \"C:\\Users\\Public\\Pictures\\wininit.exe\", \"C:\\Users\\Default\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\unsecapp.exe\", \"C:\\Users\\Admin\\Links\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wininit.exe\", \"C:\\Users\\Default User\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\security\database\taskhostw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\Registration\\CRMLog\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default User\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Setup\\State\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\DigitalLocker\\en-US\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\Registration\\CRMLog\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Setup\\State\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Pictures\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Pictures\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\security\\database\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\DigitalLocker\\en-US\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Links\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default User\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\security\\database\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Links\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\security\database\taskhostw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\security\database\taskhostw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\56085415360792 C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\explorer.exe C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\security\database\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Windows\Setup\State\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Windows\ImmersiveControlPanel\ja-JP\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Windows\DigitalLocker\en-US\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Windows\security\database\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Windows\Setup\State\smss.exe C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Windows\Boot\dllhost.exe C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Windows\DigitalLocker\en-US\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Windows\Registration\CRMLog\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
File created C:\Windows\Registration\CRMLog\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\security\database\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\security\database\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\security\database\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\security\database\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\security\database\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\security\database\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\security\database\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\security\database\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\security\database\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\security\database\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\security\database\taskhostw.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A
N/A N/A C:\Windows\security\database\taskhostw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\database\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\database\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\database\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\database\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\database\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\database\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\database\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\database\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\database\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\database\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\security\database\taskhostw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3112 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe C:\Windows\System32\cmd.exe
PID 3112 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe C:\Windows\System32\cmd.exe
PID 1396 wrote to memory of 5108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1396 wrote to memory of 5108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1396 wrote to memory of 3600 N/A C:\Windows\System32\cmd.exe C:\Windows\security\database\taskhostw.exe
PID 1396 wrote to memory of 3600 N/A C:\Windows\System32\cmd.exe C:\Windows\security\database\taskhostw.exe
PID 3600 wrote to memory of 1612 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3600 wrote to memory of 1612 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3600 wrote to memory of 3900 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3600 wrote to memory of 3900 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 1612 wrote to memory of 3648 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 1612 wrote to memory of 3648 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 3648 wrote to memory of 3000 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3648 wrote to memory of 3000 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3648 wrote to memory of 2160 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3648 wrote to memory of 2160 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3000 wrote to memory of 4060 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 3000 wrote to memory of 4060 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 4060 wrote to memory of 3408 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 4060 wrote to memory of 3408 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 4060 wrote to memory of 4696 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 4060 wrote to memory of 4696 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3408 wrote to memory of 4688 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 3408 wrote to memory of 4688 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 4688 wrote to memory of 2232 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 4688 wrote to memory of 2232 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 4688 wrote to memory of 2928 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 4688 wrote to memory of 2928 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 2232 wrote to memory of 3500 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 2232 wrote to memory of 3500 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 3500 wrote to memory of 5016 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3500 wrote to memory of 5016 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3500 wrote to memory of 640 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3500 wrote to memory of 640 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 5016 wrote to memory of 3700 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 5016 wrote to memory of 3700 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 3700 wrote to memory of 1836 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3700 wrote to memory of 1836 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3700 wrote to memory of 1776 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3700 wrote to memory of 1776 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 1836 wrote to memory of 2412 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 1836 wrote to memory of 2412 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 2412 wrote to memory of 824 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 2412 wrote to memory of 824 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 2412 wrote to memory of 4604 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 2412 wrote to memory of 4604 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 824 wrote to memory of 3020 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 824 wrote to memory of 3020 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 3020 wrote to memory of 3984 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3020 wrote to memory of 3984 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3020 wrote to memory of 2296 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3020 wrote to memory of 2296 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 3984 wrote to memory of 2628 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 3984 wrote to memory of 2628 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 2628 wrote to memory of 1528 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 2628 wrote to memory of 1528 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 2628 wrote to memory of 2120 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 2628 wrote to memory of 2120 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 1528 wrote to memory of 1992 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 1528 wrote to memory of 1992 N/A C:\Windows\System32\WScript.exe C:\Windows\security\database\taskhostw.exe
PID 1992 wrote to memory of 2880 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 1992 wrote to memory of 2880 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 1992 wrote to memory of 228 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe
PID 1992 wrote to memory of 228 N/A C:\Windows\security\database\taskhostw.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\security\database\taskhostw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\security\database\taskhostw.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe

"C:\Users\Admin\AppData\Local\Temp\c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Windows\security\database\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\security\database\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\security\database\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Setup\State\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Modules\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Pictures\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Links\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Links\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wxfkt16eiv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\security\database\taskhostw.exe

"C:\Windows\security\database\taskhostw.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8d5e12a-796e-4406-b3d9-f06a403bf8e1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c946e32-b5d4-48d0-ba49-5226c4d0ad7f.vbs"

C:\Windows\security\database\taskhostw.exe

C:\Windows\security\database\taskhostw.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4c01f3d-98f3-49b7-9f6c-e52d14483e29.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9fe6346-2447-456e-9f29-4b4bfc666814.vbs"

C:\Windows\security\database\taskhostw.exe

C:\Windows\security\database\taskhostw.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef0abced-bd95-4a7e-8562-2b54301c94e3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\803fd824-f5ea-4c81-b509-bbf9dd7d48bd.vbs"

C:\Windows\security\database\taskhostw.exe

C:\Windows\security\database\taskhostw.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11897b35-95a5-42bd-aeaa-1c6cf3ec3b99.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8519dcf3-8422-4738-89d3-0213fba9c6ed.vbs"

C:\Windows\security\database\taskhostw.exe

C:\Windows\security\database\taskhostw.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1b7fd66-bd99-48c6-9ec8-8bc4ec01bd05.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ef33c67-2195-4287-9bf6-9cee00ab77f4.vbs"

C:\Windows\security\database\taskhostw.exe

C:\Windows\security\database\taskhostw.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6707ed04-e409-4e4a-8fbc-661e1986b39e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92b906f0-16ea-40c3-be82-d6a4192e4f8e.vbs"

C:\Windows\security\database\taskhostw.exe

C:\Windows\security\database\taskhostw.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\955e9c58-d4a5-4dc7-a2fb-50f931789f53.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\898d4e55-af10-4c01-9c9b-1dddec2b71fe.vbs"

C:\Windows\security\database\taskhostw.exe

C:\Windows\security\database\taskhostw.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e919269-c496-4dfa-be9b-eea8044ae70b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bebf8e93-d3fd-40f0-ad34-b908e41414b0.vbs"

C:\Windows\security\database\taskhostw.exe

C:\Windows\security\database\taskhostw.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7e0b029-2c95-4f93-a436-e40b50d20218.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b525fa78-f34c-443e-a6e5-b66004fb4683.vbs"

C:\Windows\security\database\taskhostw.exe

C:\Windows\security\database\taskhostw.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b252635a-cd2b-45fd-9412-8dd686aa7f2d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\585b42c8-cb3f-4f91-888c-a906edf79824.vbs"

C:\Windows\security\database\taskhostw.exe

C:\Windows\security\database\taskhostw.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\366e2fdf-b9f4-41fb-af42-1d01930f5e99.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b5b02ff-eb87-4568-8517-397dd2861ab3.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp
US 8.8.8.8:53 a0992097.xsph.ru udp

Files

memory/3112-0-0x00007FFCCB8F3000-0x00007FFCCB8F5000-memory.dmp

memory/3112-1-0x0000000000B20000-0x0000000000E7A000-memory.dmp

memory/3112-2-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

memory/3112-3-0x0000000003060000-0x000000000306E000-memory.dmp

memory/3112-4-0x0000000003070000-0x0000000003078000-memory.dmp

memory/3112-5-0x000000001B9A0000-0x000000001B9BC000-memory.dmp

memory/3112-6-0x000000001C150000-0x000000001C1A0000-memory.dmp

memory/3112-8-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

memory/3112-7-0x000000001B9C0000-0x000000001B9C8000-memory.dmp

memory/3112-10-0x000000001B9E0000-0x000000001B9E8000-memory.dmp

memory/3112-9-0x000000001C100000-0x000000001C116000-memory.dmp

memory/3112-11-0x000000001C120000-0x000000001C132000-memory.dmp

memory/3112-12-0x000000001C2A0000-0x000000001C2AC000-memory.dmp

memory/3112-13-0x000000001C130000-0x000000001C138000-memory.dmp

memory/3112-14-0x000000001C140000-0x000000001C150000-memory.dmp

memory/3112-15-0x000000001C2B0000-0x000000001C2BA000-memory.dmp

memory/3112-16-0x000000001C2C0000-0x000000001C316000-memory.dmp

memory/3112-17-0x000000001C310000-0x000000001C31C000-memory.dmp

memory/3112-18-0x000000001C320000-0x000000001C328000-memory.dmp

memory/3112-19-0x000000001C330000-0x000000001C33C000-memory.dmp

memory/3112-20-0x000000001C340000-0x000000001C348000-memory.dmp

memory/3112-21-0x000000001C350000-0x000000001C362000-memory.dmp

memory/3112-22-0x000000001C8B0000-0x000000001CDD8000-memory.dmp

memory/3112-24-0x000000001C390000-0x000000001C39C000-memory.dmp

memory/3112-23-0x000000001C380000-0x000000001C38C000-memory.dmp

memory/3112-26-0x000000001C3B0000-0x000000001C3BC000-memory.dmp

memory/3112-25-0x000000001C3A0000-0x000000001C3A8000-memory.dmp

memory/3112-27-0x000000001C3C0000-0x000000001C3CC000-memory.dmp

memory/3112-28-0x000000001C640000-0x000000001C648000-memory.dmp

memory/3112-29-0x000000001C4D0000-0x000000001C4DC000-memory.dmp

memory/3112-30-0x000000001C4E0000-0x000000001C4EA000-memory.dmp

memory/3112-31-0x000000001C4F0000-0x000000001C4FE000-memory.dmp

memory/3112-33-0x000000001C610000-0x000000001C61E000-memory.dmp

memory/3112-32-0x000000001C600000-0x000000001C608000-memory.dmp

memory/3112-35-0x000000001C630000-0x000000001C63C000-memory.dmp

memory/3112-34-0x000000001C620000-0x000000001C628000-memory.dmp

memory/3112-37-0x000000001C660000-0x000000001C66A000-memory.dmp

memory/3112-38-0x000000001C670000-0x000000001C67C000-memory.dmp

memory/3112-36-0x000000001C650000-0x000000001C658000-memory.dmp

C:\Recovery\WindowsRE\fontdrvhost.exe

MD5 bfa95bec512a100511e4f1e90189594c
SHA1 5491655abcbe56963ff489b8181bacebd2873e07
SHA256 c052c666088c246a5e15c88190b68cb1a3d70974396bfbe5e075d7e12d4522ad
SHA512 be1f4da54c40d874cd47687e6578b978c2ea45f0ffe31c171db4e8cf67a84aa172844333bb028bd0e042f38f75bafa22522ce6572b6b53472d817a208258212b

C:\Users\Admin\AppData\Local\Temp\wxfkt16eiv.bat

MD5 b7058489c5dd141f48e6358800b2966e
SHA1 699da5268f06671d1c28b9f1be955bd5addc9755
SHA256 8195b576d06273d160f7450e57460b48e4ce1cb0e6620cc8898b758ead6d4760
SHA512 eece9af7efcab2cb6890edfd4662933ec96b22e3171e0175797bca30cda8511204ce3440cdb8e7de20827d2d9061ec49fde6151ea1e98cc4386098097ce9aa1c

memory/3112-73-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

memory/3600-77-0x000000001B690000-0x000000001B6A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b8d5e12a-796e-4406-b3d9-f06a403bf8e1.vbs

MD5 38768bfaec9acc6ce10a72f1d408307a
SHA1 6ec17ceed5e474b7dc3fecff1bad78197afaabc2
SHA256 ecaebe8e62ad215c4e4ff34f3aa147686f9fec875d8f9da30510ee9e1f06e7c8
SHA512 0cab39125921126f821848eb36941503a81d4161ddb9acad56f7895d4ca5372e04395529549a8200e51a0430afb6a985d93d2d0ac7038bde7eb589f8d48f387b

C:\Users\Admin\AppData\Local\Temp\7c946e32-b5d4-48d0-ba49-5226c4d0ad7f.vbs

MD5 7775d642b08e9d4c791367cc49d09701
SHA1 b2b01b641f9947ba115dcea709f0b0ca04c5b9df
SHA256 8067e3de1043531e065195ddadc44ecbbe0dc100f28932b137b9d8ba3988489e
SHA512 4d17ae3a1c71d09c2ff58b756bdbe2e059cfd01866a5feadb13bbaf802f0e096ec5ea9e9a7302fe25a157f8a33b400b5852b4921b35fcf2939c1fa9630bef557

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

memory/3648-90-0x000000001B790000-0x000000001B7A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a4c01f3d-98f3-49b7-9f6c-e52d14483e29.vbs

MD5 56a6e7f544487bb7efe3581a081287ad
SHA1 d908ad42111c2bb78c113a6af31a7019ebb4049e
SHA256 b3381a93f7f6287cf6a1e3c801489a46ea71f49dedf35d270b07e3ebe86279d4
SHA512 521349d6c4233927fa1cdc944d6f228d2aeb27662fdb5ec4475f39cd6302323f2d073983c0967ff3e5ebefa404fa6c1fa206781da41b1b3a331a121a0d6c78c2

memory/4060-102-0x000000001BAB0000-0x000000001BAC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ef0abced-bd95-4a7e-8562-2b54301c94e3.vbs

MD5 b1bdea1ac3eeb576810da2c5e69851d8
SHA1 8e370afc3f90644bcd533100ca89f4f51cda1cd0
SHA256 44070737dc695b951900009c023863d4e69ea7f4a4168f57f68caf01a0d61daa
SHA512 aafa47710837127678e55fb4c0b6647957e6a26c6ae13c73c8179b042994a355d4995debf8a22a6ea2f8bd86669d56566820cc187c8b464a0f517cf940c0dedb

memory/4688-114-0x000000001B0A0000-0x000000001B0B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11897b35-95a5-42bd-aeaa-1c6cf3ec3b99.vbs

MD5 b253cedf97bc1a8f1954d4097745e44e
SHA1 d73f21f344469cde4f66018f03283f7376fbbafe
SHA256 2c752a49218826567cfb7beee747c27a4401d0ae972a695a43eebc31da78ddbd
SHA512 37f0122605ef00a911c6441e2a4bf5529b7e214a2f77a328af6a87b87f4cb2384298cdd87b6473011dbc0e03b35a51a93fe1af9a37136bee96b6c7c012236112

C:\Users\Admin\AppData\Local\Temp\b1b7fd66-bd99-48c6-9ec8-8bc4ec01bd05.vbs

MD5 5d589f9dc1739c2fcd5365f910b1192d
SHA1 dd276c75469a94ed85b76ed6ca8906184f1fa4b3
SHA256 26e8348a4b4f97b7a15788eec8d055d4f45268fc584497ebcfe951c35c49c72a
SHA512 af8d91948dc5a6bd3efc82c56b281a31aa6ee36d54ff47a5ba20d396cda00024403f59cc984ed2d3ccaa70ab112fbf1226aefceab7fee2115e776ed0d1e2f6ad

memory/3700-137-0x000000001C3A0000-0x000000001C3B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6707ed04-e409-4e4a-8fbc-661e1986b39e.vbs

MD5 02d6a754c84b6b85d6ba3969661e0e3a
SHA1 eb36fc7de96f627c2ec2ca19996b54ed794f0731
SHA256 c578615c16f80df7cd992f70d14c3e7a11f88ca30c371cf03228334a1f590093
SHA512 b2d2a95ee434269897abfdc6c0e2d8c1f11741362873d92eaf265e981c7ce7321123a47307e4e0b4f7184f7be94e2334ef2e4ea3482ba7c76c394220e5a01591

memory/2412-149-0x0000000002E00000-0x0000000002E12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\955e9c58-d4a5-4dc7-a2fb-50f931789f53.vbs

MD5 cba21385a710f90e4c6b6ab5d2eae1cf
SHA1 02eb8c099345d02982c8c495cade82418059583b
SHA256 129bed6d13ab67a6d90c653c6373488e1f8fc68ac6c83004061dda67f77b08a5
SHA512 14685e981a2e36366409e96ed5dbf7fdaea049577534dd2fdaf0864d3dac7c0d055a079826b624b4313fb2c52117e7958b4d3e8fa789253ddbc95664ec6175ef

memory/3020-161-0x000000001BB30000-0x000000001BB86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7e919269-c496-4dfa-be9b-eea8044ae70b.vbs

MD5 dc8e33925b48497fcd18e9a5d2b6aa36
SHA1 2f9913b33d3fcae2bf65f657f6e48d9cdc805c5d
SHA256 14352920d35cc8fcf951786d904eab275f2387f9d309b29e905b2340b0943165
SHA512 f2b123a399c1013464b76242a19de7168fa3f7c5af853c2a2bc54ca8a8a4b2080e5017f9c505e345c6aff30fe8d84da25eb4b22f59fc77d24a7d1a8b27165eba

C:\Users\Admin\AppData\Local\Temp\c7e0b029-2c95-4f93-a436-e40b50d20218.vbs

MD5 2bb9adf6e50c1c7878e83475686e0469
SHA1 0e64c85552613a48e8e1a822ea4396f2fc8e7f8e
SHA256 29a4146d82e632381389022a5ede13659b45338caef138ce37188cc414e79d7f
SHA512 3ea1aac9b686a512af9283d4971917ab181451864358efc44011c4630f43c0923be8cfc421b17bf047b6a7a7e60fb4fb1eadb50837792d54729b6b290267826b

C:\Users\Admin\AppData\Local\Temp\b252635a-cd2b-45fd-9412-8dd686aa7f2d.vbs

MD5 f02d9f83342ae8da855b7f12a7398693
SHA1 58983ca611641483fbb3871baa7028b407810ca0
SHA256 e9bd14fd30f233d03e5e5781c7d17273a36080ccc6c8ffd2f9d9fc2c59450012
SHA512 d3b69f531391037d97af4890aef4eb5ed9715400c7392888830a230740af9dc34dff5bf472e0ad33ec1e16d543487f145a8b84f08f68a5a2807524cbe19d98d1

C:\Users\Admin\AppData\Local\Temp\366e2fdf-b9f4-41fb-af42-1d01930f5e99.vbs

MD5 171ea2821808162f38d60776caba90d4
SHA1 482a8dec37d689edf09140bf4e7cb0806033b631
SHA256 83abccbc4f357c0bc551d0b108f658f75ee0518f5f46256f32ff0943bcab7252
SHA512 a24289e88915a9551c4055ad74ed657536c36cd74b481f55da8d10a5d14515a31cdbcf219d4ec36c13c49c8199306c01013dcc6ee8264ee3f1126ac827de0133