Malware Analysis Report

2024-10-19 01:55

Sample ID 240925-wy2v4atbmg
Target b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
SHA256 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3a
Tags
dcrat evasion execution infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3a

Threat Level: Known bad

The file b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan

DcRat

Process spawned unexpected child process

UAC bypass

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-25 18:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-25 18:20

Reported

2024-09-25 18:51

Platform

win7-20240708-en

Max time kernel

1800s

Max time network

1796s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Recent\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Recent\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Users\Admin\Recent\lsass.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Users\Admin\Recent\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\Program Files\Java\jre7\lib\ext\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Windows\Tasks\lsm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Users\Admin\Recent\lsass.exe N/A
N/A N/A C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
N/A N/A C:\Users\Default\Saved Games\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Program Files\Windows Mail\System.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Program Files\Windows Mail\System.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Program Files\Reference Assemblies\csrss.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\56085415360792 C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Program Files\Windows Mail\RCX61E4.tmp C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\RCX6B3A.tmp C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\csrss.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\RCX73C6.tmp C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Program Files\Windows Mail\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX6658.tmp C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RCX7637.tmp C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\wininit.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\wininit.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\RCX5DDB.tmp C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Program Files\Reference Assemblies\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\RCX6FBF.tmp C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\addins\RCX71C3.tmp C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Windows\LiveKernelReports\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Windows\addins\6b21b2042cab95 C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Windows\rescache\rc0004\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Windows\LiveKernelReports\RCX5B5A.tmp C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Windows\Tasks\lsm.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Windows\Tasks\RCX68C9.tmp C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Windows\LiveKernelReports\explorer.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File opened for modification C:\Windows\LiveKernelReports\explorer.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Windows\Tasks\lsm.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Windows\Tasks\101b941d020240 C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
File created C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
N/A N/A C:\Users\Admin\Recent\lsass.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Recent\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Recent\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Java\jre7\lib\ext\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Tasks\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\cmd.exe
PID 1972 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\cmd.exe
PID 1972 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe C:\Windows\System32\cmd.exe
PID 2856 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2856 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2856 wrote to memory of 1944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2856 wrote to memory of 2816 N/A C:\Windows\System32\cmd.exe C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
PID 2856 wrote to memory of 2816 N/A C:\Windows\System32\cmd.exe C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
PID 2856 wrote to memory of 2816 N/A C:\Windows\System32\cmd.exe C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
PID 2816 wrote to memory of 2508 N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe C:\Windows\System32\WScript.exe
PID 2816 wrote to memory of 2508 N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe C:\Windows\System32\WScript.exe
PID 2816 wrote to memory of 2508 N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe C:\Windows\System32\WScript.exe
PID 2816 wrote to memory of 2452 N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe C:\Windows\System32\WScript.exe
PID 2816 wrote to memory of 2452 N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe C:\Windows\System32\WScript.exe
PID 2816 wrote to memory of 2452 N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe C:\Windows\System32\WScript.exe
PID 2508 wrote to memory of 2444 N/A C:\Windows\System32\WScript.exe C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
PID 2508 wrote to memory of 2444 N/A C:\Windows\System32\WScript.exe C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
PID 2508 wrote to memory of 2444 N/A C:\Windows\System32\WScript.exe C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
PID 1508 wrote to memory of 1264 N/A C:\Windows\System32\WScript.exe C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
PID 1508 wrote to memory of 1264 N/A C:\Windows\System32\WScript.exe C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
PID 1508 wrote to memory of 1264 N/A C:\Windows\System32\WScript.exe C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
PID 2444 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe C:\Windows\System32\WScript.exe
PID 2444 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe C:\Windows\System32\WScript.exe
PID 2444 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe C:\Windows\System32\WScript.exe
PID 2444 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe C:\Windows\System32\WScript.exe
PID 2444 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe C:\Windows\System32\WScript.exe
PID 2444 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe C:\Windows\System32\WScript.exe
PID 2868 wrote to memory of 2440 N/A C:\Windows\System32\WScript.exe C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Recent\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Recent\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\Media Renderer\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe

"C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Tasks\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\lib\ext\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\ext\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lib\ext\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aNb" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN" /sc ONLOGON /tr "'C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aNb" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Media Renderer\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Media Renderer\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Recent\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Recent\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EwmW5ZiuB3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25cfb345-d5f1-430d-a5fb-1b6925dac913.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bc81e34-14fe-4e02-bbef-7b501e3c51a9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25cfb345-d5f1-430d-a5fb-1b6925dac913.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bc81e34-14fe-4e02-bbef-7b501e3c51a9.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fb1eaeb-6187-415e-978f-b68aa8e53c70.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a02df486-ce78-4e0b-a26e-e5661bc9e67b.vbs"

C:\Users\Admin\AppData\Local\Temp\ose00000.exe

"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7a957ed-c25f-4329-a969-4602cc19c6d6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67af23b6-6050-4eb2-85bc-861d06e5db4b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67af23b6-6050-4eb2-85bc-861d06e5db4b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67af23b6-6050-4eb2-85bc-861d06e5db4b.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67af23b6-6050-4eb2-85bc-861d06e5db4b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee1e55dd-f46d-4bab-bf94-d978cde6df20.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f35bb97-dc50-4e94-87f8-4e2992fc0852.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f35bb97-dc50-4e94-87f8-4e2992fc0852.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bc81e34-14fe-4e02-bbef-7b501e3c51a9.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef105459-3e1e-4d47-9632-0b5048fae436.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cb3bc06-7f64-4d3a-9f41-ddbbdb9c7ef8.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1477a36b-e1b5-4cd9-9369-c11203a3d45c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4adce45-683c-482a-bd38-635d15925729.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\974d9147-ea43-4c17-a2de-ec4ceeb32ca5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4fa3bab-3d05-42a2-925b-c8d7f893297e.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\291d1841-97a1-4377-a667-b8cba52acf26.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92d3eb91-94e4-45e2-bf51-765c65d97989.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21a781c9-34ce-4a67-9589-762570e27eb0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7954474d-213c-456a-975b-eafd3d1b9e57.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0469aeb-e29a-4161-9451-29994f373be2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f504e58-2dc6-4995-9448-b333fad48092.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2f80a40-0455-4dc4-9944-654a54be4a05.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4daf1837-0be6-4da3-b831-fe34e5beb302.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa74fcd7-1681-45ab-af55-0c17c74bbdaf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e690dd7-b0e9-4157-8fac-273162c5a735.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d143383-7fcf-4ace-8c27-5d0cb288723e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad009bc7-c7f4-4b47-9657-f93458490cd9.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cc5acc9-5221-46cf-b352-0e5cfe853300.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5090c9dc-264c-424f-b112-1d051a3ad28c.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb34b2de-7d9f-4bae-9791-51a4d7c06080.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f378fe0-f77b-4570-9d08-16c300f5c284.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e80b1a9-f08a-4f81-86f3-ed16a1140d7e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c2d7589-5d94-4526-bcb6-e9d8ae43daca.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e1f929d-98a8-4342-a855-ee152fc6fa8e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e365e2fe-0ebb-4218-8f90-3cdff504c246.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a5dfbf2-6f1b-40c8-b87a-599fe25ac2db.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4f1ca7e-d6b0-4432-bcd8-5d4b011468ea.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9493a9a-16e8-459d-9468-3c457eb683f0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2144448b-de06-41b1-8db0-31feac3ee96b.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a64125a-3628-4029-81a6-606c2ef2c7c0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67549861-7820-40e4-8bbe-ec0d93d02377.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2730f9c1-5954-4f90-9195-43099133bb10.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb4df6a1-d195-46cd-824e-17ef2e406e0e.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a873253-3fca-4b09-9298-a96040251e8e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0136ae81-dba5-40f1-b484-7d0cec927eee.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c80a1c4-4e97-4139-ab68-034aabb694a1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1803fcf7-2912-45e5-af56-dbeb13c856d0.vbs"

C:\Windows\system32\taskeng.exe

taskeng.exe {39632321-4B8B-46E4-90AD-918B059923E1} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a437a4c1-adb9-4273-8f0f-6da40c12cac4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\592ab024-09be-4bd6-b5bc-184908320269.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a18ebea0-8d75-4bef-b4d8-e274315d075a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8522b6de-e88c-4581-b361-123d34e735b7.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90b43bd8-abe3-40fa-bda8-8fdb130317dc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5c9a0ba-958f-4d7e-bf68-ecd593a8ef12.vbs"

C:\Users\Admin\Recent\lsass.exe

C:\Users\Admin\Recent\lsass.exe

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebb3f657-2170-4fdb-a77c-40bd09429a8c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a777996-dc29-428b-9633-ebe7a2f2aea0.vbs"

C:\Users\Admin\Recent\lsass.exe

C:\Users\Admin\Recent\lsass.exe

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"

C:\Program Files\Java\jre7\lib\ext\spoolsv.exe

"C:\Program Files\Java\jre7\lib\ext\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55773280-a79a-4d68-a74f-6edcbda25920.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc8e4ecb-0802-45b8-aa9f-733f711b684c.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9a149f6-4eca-4ee6-a35f-64c34b785168.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\564dca90-8d9b-43bf-85d1-fed76beb7496.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f641df2f-85a5-439d-9c9b-45965566bce2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8533d52-2c36-4c76-b5d7-289bf66777e4.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2095675a-7db6-485e-b3ed-82c97bebced1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba8ad9b3-c94d-47dc-af10-b337f0163c91.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9418e24c-8b4b-4cb9-b9bf-46030d3992d4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c07a5a5-55ee-47bc-bde0-ec3dc5c8b708.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe

C:\Windows\Tasks\lsm.exe

C:\Windows\Tasks\lsm.exe

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bf2fbef-3193-40ce-88a7-c49f0c1ade77.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\508407be-1f06-4c6b-a12b-dcf9a9c15861.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53c138d4-b9c2-453f-bb1f-61021705a189.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a790dfab-8088-4f09-9ba0-6a71f8e006f0.vbs"

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e8427a7-1714-4506-b99d-0103d3e24b2c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e53bba19-005b-48ba-a400-e62434ba43e3.vbs"

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0b840d9-7e54-424f-8a5c-6ea3c03eeddf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42ee279d-2c00-4cf8-93e4-89765792e852.vbs"

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44afce48-c99a-451d-be4e-035cbb7ae94b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2722513-b67c-4d75-bdfb-2f2ba1f444b9.vbs"

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40226343-97f3-4601-a5e1-207f6320ca89.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47604fe8-6df4-4877-9d57-55637f978d72.vbs"

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\743ed8c6-16bc-47d6-83a2-dfa2ce512bd1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5a3fde1-1079-42c7-a847-07c47890c8a0.vbs"

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d7f3a56-8236-4e71-94f4-a1af4c81688c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3943177b-bb31-435d-9f68-2879a44068c5.vbs"

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d1574bc-ec77-4806-80bd-768b526d1b57.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd1d6a00-6f0b-4569-a0e6-8dd32f7336f0.vbs"

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e8d3072-5729-473a-bb5c-e45eb0f7fd60.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6295eceb-3587-4bc8-9202-a8876093b766.vbs"

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6ca37f5-2f06-49bf-8ef4-62ba9246ced6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41c255dd-418b-4e35-82e3-e3bf7c5431c1.vbs"

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64b59c83-5bb6-447a-869e-c821b345ca0d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c274ea9-eb94-4f9c-9a12-886ad95bd2f9.vbs"

C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe

C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe

C:\Users\Admin\Recent\lsass.exe

C:\Users\Admin\Recent\lsass.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Users\Default\Saved Games\explorer.exe

"C:\Users\Default\Saved Games\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2aa7c6e-5709-4ad3-875d-8969b7772884.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb8b9906-758a-4005-8707-0d558b6e2599.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f3c047a-00c0-4ed6-a3c2-0990a7d77b82.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab1b8ed7-f92d-46c5-ade6-ff762fc5acb4.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b345bebd-5d31-45b4-9afa-b91cae7a773b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc7ec0fe-c938-49ec-a116-aa2fe7e56828.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4487b1bc-2e22-4de5-b88c-8736fefee706.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6574cb59-fe3c-436a-9ea1-d003cb4570e5.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f366ad9-42c0-4c8b-9f13-94674777a419.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34062494-f033-4368-b1b8-7d6bb19f3091.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db715930-6723-44cb-bbcd-789cd77007b7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aca795d0-6d4b-4fb7-a7d7-ea2a42fea0cc.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d68e9d80-dc4e-4dab-b8a8-90760d329f8a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\330c5bcf-ce0b-4189-8816-8aeb67db4e22.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb2c8bd2-5814-49c5-9e9c-e73cded7fbf0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a677a3f-2ca9-4e68-8348-2ece52d293d8.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa7d157a-0fcc-4272-879c-7cb160b9d3e6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8adf81c3-dc79-4118-802d-4284beb88cee.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b672e89f-6ecb-4cbe-bd67-b2ac71ac173a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4960acb5-38e4-476d-b58c-8d9e9ba76553.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b62c7658-4df7-4a27-9974-3f78506e9fb7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e662146b-b874-409a-9631-343c31195a91.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"

C:\Program Files\Java\jre7\lib\ext\spoolsv.exe

"C:\Program Files\Java\jre7\lib\ext\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33f552f3-f7bc-49a5-a2e8-b76b74487c3d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9038819e-8166-4afb-a2d8-3e20446c2cba.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Users\Admin\Recent\lsass.exe

C:\Users\Admin\Recent\lsass.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe

C:\Windows\Tasks\lsm.exe

C:\Windows\Tasks\lsm.exe

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac9165e0-cc3a-40b2-8813-ad8e1dabf8eb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7a08be9-70cd-44dd-b67f-7dfe9ee0072d.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27ca13c8-0325-40bd-a0ea-9b4ec16be2ed.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2064efdd-74ab-493b-8950-1f83940d3aa7.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91b4c8c6-5903-4623-aea3-6815c58b66a3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a67bc18-15ba-4920-b53f-6dfe54d80027.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1831e825-5231-4c9f-bc29-63247c122fc3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ca4e411-a5ac-471a-ba9a-f8f27cb8ee58.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bdcd68f-fb59-4784-b85a-d7b9ea2a07b7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3ba9a05-443e-40ce-a108-be077d910471.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4860e01f-09ef-4c73-9c3f-6435d88c9dda.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8830da6-9803-41a4-a4de-b9f24923f221.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7aed086-5bda-4151-80c5-0def7ac118f5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44610319-c55c-4868-b218-bdf4803bfe5c.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e575393-f82b-4ad6-856d-57b9d3a61a86.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55c077c7-50fa-4231-8b64-da4b3f34812a.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e19590dc-2eb3-4bff-a75d-7d636c337015.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72fef30b-806d-496d-a128-236923f44e76.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1d098ee-bf98-4b3f-af69-01546596ab97.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cacc9d16-a581-4bd9-98ce-0a450893b92e.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c316e8b6-7b99-4898-85d0-e3058c438ae0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8dd02c7-a8de-436e-b269-41fec808ca1a.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b020b20b-0c5b-4ef2-a44c-4f174cc72abd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529c7d6a-95ce-4777-878f-76a1ef4f0040.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1bcc459-671b-493c-bd8f-e919ec3b6fe1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96646a7d-d4d3-4cac-b1ea-f4660de91140.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\353d9cfa-43fc-456e-916f-7a0ca3726f35.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b18fc56d-8b59-4b3a-b6f8-78652be138d4.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f66b8fad-1172-4e82-8715-da4fdc125421.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c3b9b6d-cc31-4e21-8225-4269f6d2e05d.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79c49916-304e-4d94-beaa-e6200cf8d702.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f183ecc-b65e-46cf-af0d-862755793078.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7197a734-a884-45c3-a50f-79262f722534.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d336ae63-5a53-4254-9a05-01851c93c85a.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b176fd30-5b8c-4a34-9ab9-2a6fd904e599.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2e5291a-2e1c-4927-9047-e5e7b924d519.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c413a012-8714-4a95-ad60-19b6316ee68c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\614a48d1-8ec4-4bd3-b807-4379d1f668a4.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8680b574-ecc9-4518-b965-0d6484bf097d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3bea8da-085c-4b1e-b461-b2171a72c068.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\004fcd9c-edda-459e-83b4-a56806cd8e75.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7942f640-df32-47ed-9bf1-540fd93ef028.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\659656d9-1df5-4c34-a67e-25363301eb0f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67659cee-ed3a-4659-b112-dbf0aa54fc4c.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffb2ed75-023d-48b7-8314-651d4f85f97d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b88d343-e3ba-40e7-a3da-9a8ed9800ed7.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf8ce99a-eb05-4f75-bf26-04a46d638a48.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4512d7b-c20f-402c-8be6-21a53c439a4f.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\428da52a-3604-470b-b057-5902eaa13993.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1003441e-f5a4-4ea3-accb-82f163a5ed4d.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\754d0ed4-7f61-4bd7-9723-4c5861408d9e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4ee9d99-1404-4d6a-9891-ac148d55b715.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b5b71cc-fa12-40e3-94ba-d6f702bb73ba.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07e25829-5ded-4b58-a29d-09e1f17a932f.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95d97c17-869e-4520-8545-56ab51a367a2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a9ffe74-28cf-438e-8c01-9865d782fb85.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\570042b8-4769-46be-925c-f2e9289e426b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e08a1196-b5e5-44b1-b685-11bd8c713268.vbs"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6409692a-9c2b-4d72-befb-536aae14efa5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f781d06-f57d-4d31-b5ee-581a8d0c9d8d.vbs"

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe

"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"

C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe

C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe

C:\Users\Admin\Recent\lsass.exe

C:\Users\Admin\Recent\lsass.exe

C:\Program Files\Java\jre7\lib\ext\spoolsv.exe

"C:\Program Files\Java\jre7\lib\ext\spoolsv.exe"

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1d5ba54-2f5d-4264-8f44-cc64f41e0ad8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a43d0acd-ce98-423a-adb6-9ca52d9c9ca4.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\764e1ab7-2bba-43cf-b8c3-9f9e03467854.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\742bfaf1-f2e1-4374-bfb8-5f0efb437697.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81ffe154-fa6e-475e-b610-a0643a32b338.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e6d4d81-21e4-417e-9356-cade703f04d5.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58c7b982-84e8-4ed2-afab-505c81ed8c1f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ea02601-d5dd-45e3-8895-91a51044e0a2.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2655f2f9-8550-451a-b5ba-6bd9d4a73158.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b6ecf56-3b79-42b8-bc5c-2344a4daf9e8.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b83f4bad-c3e6-4b38-b431-ec78fa4bd7b8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fb4f5e6-65c2-4bd3-8c7a-dd8dd0ff3ae8.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e5693b2-a895-42a4-8503-1a000b3dd264.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caa3965a-6c54-415b-851f-0fae7e73ced9.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f278f799-e669-4a90-a89d-ad24a99b1e74.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2493fdf-d86c-441c-92aa-6cb539e386bb.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8ca6903-f844-46b3-b727-4b781a3d003c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70d538be-bcce-4f87-97e2-476bbcee65ae.vbs"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d932b8e8-2240-468c-b1df-2909ca0f3ab8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9ff7587-df65-493f-adf2-836849fcd02b.vbs"

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe

C:\Windows\Tasks\lsm.exe

C:\Windows\Tasks\lsm.exe

C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe

"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Users\Default\Saved Games\explorer.exe

"C:\Users\Default\Saved Games\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e6d0864-4a0e-4414-b04e-5e3986e09daf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c46bbfa-7b0c-4ba8-bedb-8054d220a34c.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00978fee-2799-4c17-9579-f97c3d948057.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbe6ad39-2c50-494b-ab94-88d520dcb21f.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef8fb25d-06e1-4594-995c-a6bc85d0b29c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c327091-3c6d-4f61-afc5-7f138e406c44.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17a400d5-7df3-4a87-b56a-42b5a653b889.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da94ec6d-ba16-4ebe-bfdf-1762a1a75b88.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3b69289-a079-4848-a3f9-31eef4c57f53.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84ee4644-7626-4cf9-83c5-f8932b788d4b.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b65c195e-c52d-4fe7-ac1e-c2b3200e166f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f197267-a4c3-4299-b150-79a8cff73cfe.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f98f65c3-bab4-4463-8255-b72b5ca94ee0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bb93e09-4363-4997-9308-a3af23f1f235.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c820c89-6b36-4673-8ae7-f2b287de9f04.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18c8c9ef-9d67-4c1b-b595-c3d03803863e.vbs"

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe

"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"

C:\Users\Admin\Recent\lsass.exe

C:\Users\Admin\Recent\lsass.exe

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce3d7aaf-82e5-464f-a3e0-3539426365da.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b22d245c-93bd-4ab9-b9f4-afb668747a41.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/1972-0-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

memory/1972-1-0x00000000009B0000-0x0000000000EA4000-memory.dmp

memory/1972-2-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

memory/1972-3-0x000000001B430000-0x000000001B55E000-memory.dmp

memory/1972-4-0x00000000002B0000-0x00000000002CC000-memory.dmp

memory/1972-5-0x00000000002D0000-0x00000000002D8000-memory.dmp

memory/1972-6-0x00000000002E0000-0x00000000002F0000-memory.dmp

memory/1972-7-0x0000000000570000-0x0000000000586000-memory.dmp

memory/1972-8-0x0000000000590000-0x00000000005A0000-memory.dmp

memory/1972-9-0x00000000005A0000-0x00000000005AA000-memory.dmp

memory/1972-10-0x00000000005B0000-0x00000000005C2000-memory.dmp

memory/1972-11-0x0000000000960000-0x000000000096A000-memory.dmp

memory/1972-12-0x0000000000970000-0x000000000097E000-memory.dmp

memory/1972-13-0x0000000000980000-0x000000000098E000-memory.dmp

memory/1972-14-0x0000000000990000-0x0000000000998000-memory.dmp

memory/1972-15-0x00000000009A0000-0x00000000009A8000-memory.dmp

memory/1972-16-0x0000000002530000-0x000000000253C000-memory.dmp

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe

MD5 5a9fb15e8fc1d8162c861ca1544f38f0
SHA1 a7606e286eb27a1a5e95693c594de5c65c5d7aa1
SHA256 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3a
SHA512 a38b2f9aa766cca9f5f5265107c37dbaa89f4c712d4ea3efcd7b2248428f64a2da268de55e401ad08ff1a8ae85487add3f7b6b656b64ca9b03b82e44cc93cd5d

C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

MD5 f7543863b15675605ca0dd3264d06561
SHA1 d607a45cc3aa772e31f2d5558538a9d3fe7b138f
SHA256 0c0b7e8ea93e5aae2ff44d35ef4f93f2fe113a74a1db5a55d1e5d69506b3f067
SHA512 911b384009b9d98c48f18947701eee791d60bd0254258a557b2769bfad0266194cdb3c58a592788fa7a41fd5041a85b74d59f9f982054770f087c72289ba004f

memory/1972-138-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

memory/1972-145-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe

MD5 1f10925693bbf4fa35d0a1b7277efe21
SHA1 2d38bd8b9ba5107b9e905e77ec179b369d2d5f7a
SHA256 c808909af7ce018bc0d993e957e25bbe63aea9ed9746107194e660eb6d2f478c
SHA512 add18344b2b66495e6212ed0c6f79097dcb35e64ff3077509d25693156d8d019a027dff1e04c66952af3641599fafab3274ef87a027b60993c069d939f9f9e38

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\RCX7D8A.tmp

MD5 902f5a8ad3b6cccbc70c3c5b1bdf3afd
SHA1 581e37998cce83437db5ee432d472b9d395f10ce
SHA256 088ba83d7632ad1ff17bac826aaa22af8bd1b62fc11f9bb31082caf87ef326df
SHA512 79a9a3ee65bd1929a3464b627a079d407402163cac4f5ff85940994b9439ab2463bb591f472a9283f70605e81c269d9878a7f6fdca6bd9abdae5b72203ee2c98

memory/1972-168-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

memory/860-169-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

memory/860-171-0x0000000001D80000-0x0000000001D88000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 13d390a087d4855aca2a53419c36a911
SHA1 7fd2d45880d625bbebce7e8a74a67950538cc6fd
SHA256 1eed5dcdeeaa69c69c3b935799dc95ffdb97404d0fab6ee8e9e2f2e1827ca084
SHA512 96811206c11d25a38f19b510b87c01ebcdaadc83722b267f38b0805ecd3312e5fe0a5ea2058f0b41439a85e0fcacec21132f5745b97fba059968694b2d18ebf2

C:\Users\Admin\AppData\Local\Temp\EwmW5ZiuB3.bat

MD5 f14661361959be15faadbe237c212ceb
SHA1 082540ee7930a64bf774fa68210d7f3b50cfbf32
SHA256 502611aa66faf25fbc9c3b7ca6a22de90330afd8b3ebb3219173bc4f4cff77f5
SHA512 6723c32692905c7ceb68a332988f03eb7079ab336f8220b61ae1b18def8a204cab559e359ed0da955ae1eefa9b80791e3f14e33d6533e834fbe38146d1a195e4

memory/2816-230-0x0000000000D20000-0x0000000001214000-memory.dmp

memory/2816-231-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\25cfb345-d5f1-430d-a5fb-1b6925dac913.vbs

MD5 b7f08e3a3eecc5a9af6067e9a780d445
SHA1 a7816aa3ad08a67090a8a1b7a3cb4ebfdd971495
SHA256 9464d7d4d317f80a9245f48f6b98ed6d823a076b4d330c8304e22e6eb3821c48
SHA512 d346206df9472b6049c862ff39fd529c2f3a0e6cc18a494fb3786c26c4898625602946eff40809ae7219f2cd77c1857e4ac7c80dd122c262b94f584d5148a82c

C:\Users\Admin\AppData\Local\Temp\7bc81e34-14fe-4e02-bbef-7b501e3c51a9.vbs

MD5 ea35266504394a12cbb7e0eb895bb381
SHA1 748a56fb051a9ffaa55fb89b02399e87131459cc
SHA256 6a349bf2301c2b86ae27a0268e85789783c0eec260babe9808cbfab61187c6e3
SHA512 033ec671e193aa971271392151a2f6780a9e0e5d53244ac3ee4afc7d5e9dc908ee58720af1a4d02c7853ca7f45a56b1a146474aa58b944d28dd12969e94b4b73

C:\Users\Admin\AppData\Local\Temp\tmpA7C4.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/2444-245-0x00000000010C0000-0x00000000015B4000-memory.dmp

memory/2444-246-0x0000000000620000-0x0000000000632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7fb1eaeb-6187-415e-978f-b68aa8e53c70.vbs

MD5 66947f08603787939ee422f69aa2de86
SHA1 c255c77b60cbdec98a0bef76beb98bbd8814070f
SHA256 c4a27afec8626a2f296e5c053810f3752f8f1ad589339b09d1ba76fe749228f4
SHA512 91f3fc04f0df696cba255a33d3a61d566eb18f15c4eff11f85f3e975e2a8e478123f563fb4c3635b904d7cf6d6fb2e34ad8f3cf0055d8070b26adf37a56d087b

C:\Users\Admin\AppData\Local\Temp\f7a957ed-c25f-4329-a969-4602cc19c6d6.vbs

MD5 1bee4425dab93b60f0d50281e505cc31
SHA1 8af4238d6aac4605e9f8d8e789a860287f6c8677
SHA256 768e2a3e627d70eecd5034065bc2e7c7e2401485561fe5fb674316073a174633
SHA512 140fab69f27d2e39ce0cbd4f13e05324a10d742f9e567ce6d4fe413cf0160febbfc5ab28ccc60c354bdc0d018ee8710cc5bd5c7a9edb5c7989d95d092e62d5f8

memory/2852-279-0x00000000000F0000-0x00000000005E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ee1e55dd-f46d-4bab-bf94-d978cde6df20.vbs

MD5 16474ae0a00bbed20c4754950029aa52
SHA1 ffa7f904934a3ea18563ee9ad56d26600717eb33
SHA256 c00beeaebddd1b7e596d390568e808cbfaa57d29655819c0c4d828aa4bf1198b
SHA512 bd661163269ebe96b2d4e6273c6c353aafd26123e8ee927e724bf5ca0c0989678e93566d00a2a4b421cf2aca6b37d74d3434deb0682381ea2a06745da510e1d3

memory/1940-294-0x00000000001A0000-0x0000000000694000-memory.dmp

memory/1940-295-0x0000000000920000-0x0000000000932000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ef105459-3e1e-4d47-9632-0b5048fae436.vbs

MD5 dda1d99a1b4a8b81893e0887da0bbc3f
SHA1 b2628c9ade665794c75cf484e6324a7ce3443a7d
SHA256 cbcbf743855503ce684ce9aa8249bee0ef9c1408943c47f9650b12ec451e1c82
SHA512 ab3c725c40f1fd3433e7a4f6e6abbe47779f1578b8c9e496abf45e6e05379bfab6d368aa7f8fa9140adf240961c963a679fb06602c38be0d66f914d99223d964

memory/1064-310-0x00000000000D0000-0x00000000005C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1477a36b-e1b5-4cd9-9369-c11203a3d45c.vbs

MD5 94ddc237ac5f52fe612b279a6058d2d4
SHA1 d8fb261b8dfeb2863874a8ab86a77382a8520699
SHA256 b8d5f7fde8ad466e246f48ff0b5f2032b0199a2b45ea64be39938bb736b59500
SHA512 e614213100c4bfb51e8c10aafaef7a3f529f72923d98623f5e093706239f2fd6f9a78525e1c07aeb84a4634407179a10792bc9cabae4f174cc5ecc209188e9fa

memory/2532-325-0x0000000000A10000-0x0000000000F04000-memory.dmp

memory/2532-326-0x00000000004A0000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\974d9147-ea43-4c17-a2de-ec4ceeb32ca5.vbs

MD5 05ed5d7ce2024a516ee2e5b66bc7d16c
SHA1 4c3e55eb6b6f18f6fe0214f19393c9c0c3452314
SHA256 40042a78413edd782a3547005facc59a719c929e9b277ff03a65c6e763b70772
SHA512 28709559da2c9e095fbeab2c65cb168501e40d2bf1696ca52352fc01665f53bc81ae2bdab123df7af9f583e5d8c6378e56829fe1dcd94f031b24d2f3f687c4c5

memory/884-341-0x00000000010D0000-0x00000000015C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\291d1841-97a1-4377-a667-b8cba52acf26.vbs

MD5 b15d682a6fa720ccced581a945b927fe
SHA1 cdfb29eac715c0d26974659738b32e298cb51e51
SHA256 8c92a3835848525efb0abfa4e59136d940fd64fbc18626eeae96974de6258136
SHA512 0782b4e4711ad927e1b7319135285a127ce8fa2e0e82193351498976afe4325d2218a300ca796e87e15134b7f4990710b94f3855af3a334f5da91a3cf9988b82

memory/1108-356-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21a781c9-34ce-4a67-9589-762570e27eb0.vbs

MD5 3089c47815b937b28f4a5c97f59e8eee
SHA1 734f3678338f26b6ad91c5864e27480c4c672265
SHA256 beb1bf686dd8cd883c781cb2c753eb146536e8f65ba0231aa8e5b799c9feffaa
SHA512 2476e4d6f403d3391eca0575d101c264fc32128fc1c413ef04a859006456844fd628431120662e5a609acb8a842fca1f82a7e30dcc221444616636419de4a1e4

C:\Users\Admin\AppData\Local\Temp\b0469aeb-e29a-4161-9451-29994f373be2.vbs

MD5 1ce6ebc2b4d1e7d74e2ea23794194d0e
SHA1 0c3c39af37b0358870e95ddf1108f24d9c97ad2d
SHA256 e1e5c6cf140b568629cb44788ca9d42220ad464585759bdb5d68391c1918c31e
SHA512 fae7ff6ef7406ee4dfc7b9d009f99902b09448513b218d6eca4dbbaf487ae1618a1c05acf5973417fe4e2ad857d629e64e12b314f29b0704b9b4f00bd968db6d

C:\Users\Admin\AppData\Local\Temp\f2f80a40-0455-4dc4-9944-654a54be4a05.vbs

MD5 6337f4f18ad38add8b95068bb8489387
SHA1 e3de6b5622729fd72e05fde5b96b18c5e87488d8
SHA256 9c88277a72964de97ac79c6d12f1d1a7d5d35035b6c8f4d6046facc8d6bc10e3
SHA512 0966083525c0fdf6329130d29dd43f92a42e791defcd6585ca4818aad2acaf483e9e004cf2cdc7b3a78f95f95477db60bd259f1a49e4f31b0a373ad71c720729

C:\Users\Admin\AppData\Local\Temp\fa74fcd7-1681-45ab-af55-0c17c74bbdaf.vbs

MD5 2b7ded60cefb283969cf354a777bc526
SHA1 a8e734ca1771d289339b3110a814e403caeb87db
SHA256 ff8e07dbbf6635ed59f40a9f87a53a01c708f732a157445537765986079d2475
SHA512 5866ce8862e5ee059ef21c6bc9803fafa063b1909892f233815bad0c208971809dac5999a894462c533e2d56a71530c3fea6105047e252cb4d45a1f28ad81c98

C:\Users\Admin\AppData\Local\Temp\2d143383-7fcf-4ace-8c27-5d0cb288723e.vbs

MD5 77eae1c1d105a9e55a0517cf80c8e94b
SHA1 6fab975c03d94152a8b66d25b3c3357a399c2d29
SHA256 aedcd7d3581e95d141b14ba24b391e14665532cb0a2a0602276a993377ee3961
SHA512 4ed7b5d12b5cb29dae0bae917ec904a61125d015e7ea142beeac6e4f57d1c0a0c39de3728d5a26075ee44ed6fc51876ab04962f807bbe27c9e7ac2dca189d1a2

memory/1848-425-0x0000000000380000-0x0000000000874000-memory.dmp

memory/2148-436-0x0000000000020000-0x0000000000514000-memory.dmp

memory/2880-447-0x0000000001330000-0x0000000001824000-memory.dmp

memory/1508-478-0x0000000000610000-0x0000000000622000-memory.dmp

memory/2340-509-0x0000000000C50000-0x0000000000C62000-memory.dmp

memory/1400-520-0x00000000003E0000-0x00000000008D4000-memory.dmp

memory/544-529-0x0000000001040000-0x0000000001534000-memory.dmp

memory/2668-536-0x0000000000F30000-0x0000000001424000-memory.dmp

memory/2076-557-0x00000000013B0000-0x00000000018A4000-memory.dmp

memory/2572-569-0x0000000001260000-0x0000000001754000-memory.dmp

memory/2572-570-0x0000000000510000-0x0000000000522000-memory.dmp

memory/2708-584-0x00000000000F0000-0x00000000005E4000-memory.dmp

memory/2472-590-0x00000000010E0000-0x00000000015D4000-memory.dmp

memory/2076-591-0x0000000001390000-0x0000000001884000-memory.dmp

memory/2844-605-0x0000000000630000-0x0000000000642000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\564dca90-8d9b-43bf-85d1-fed76beb7496.vbs

MD5 2c61fa8aea872fc77447f09ecc005f12
SHA1 9d1f0ad4040289c49d7f0d78f1fd0717dc580ca2
SHA256 5d90ed02b0fb7d509975252c1a573d6ce2995a0041383416848e92ab915b4672
SHA512 43981a90cdf5632347871db60bd74a0ce8de366991cb83aacbd56fbd78baa79d6d1989c098c8519b5b68468c9d322fffc3378dd1ec71414247652406e320f070

memory/1708-636-0x0000000000C50000-0x0000000000C62000-memory.dmp

memory/1652-649-0x00000000010D0000-0x00000000015C4000-memory.dmp

memory/2656-650-0x00000000003B0000-0x00000000008A4000-memory.dmp

memory/2536-670-0x00000000013E0000-0x00000000018D4000-memory.dmp

memory/2444-675-0x00000000000C0000-0x00000000005B4000-memory.dmp

memory/2380-676-0x00000000012D0000-0x00000000017C4000-memory.dmp

memory/2960-690-0x00000000000C0000-0x00000000005B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e53bba19-005b-48ba-a400-e62434ba43e3.vbs

MD5 c669c97cdad6b1d111abd49c70bdffba
SHA1 3ffa3c8b796257bb418ebdae49245e1e20165840
SHA256 03570eb84cd5129170607d2ca5f54cb02cf661e86d67f3ef63133dfaf09334b3
SHA512 349c393532e6fdb3f708e1dbeeb374b02a7f0bd1bfc445fa6c0d53b4d734f38592de438c07ec4daf41f6168eac973fe26bf66cac9ee68f9973a913be73cf1353

memory/2644-701-0x0000000001130000-0x0000000001624000-memory.dmp

memory/2924-712-0x0000000000180000-0x0000000000674000-memory.dmp

memory/1356-723-0x00000000011F0000-0x00000000016E4000-memory.dmp

memory/2940-774-0x0000000000BF0000-0x00000000010E4000-memory.dmp

memory/3000-785-0x00000000002C0000-0x00000000007B4000-memory.dmp

memory/884-797-0x0000000000F60000-0x0000000001454000-memory.dmp

memory/480-798-0x0000000000EC0000-0x00000000013B4000-memory.dmp

memory/2692-799-0x0000000000200000-0x00000000006F4000-memory.dmp

memory/2036-811-0x0000000001390000-0x0000000001884000-memory.dmp

memory/2296-812-0x0000000001190000-0x0000000001684000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ab1b8ed7-f92d-46c5-ade6-ff762fc5acb4.vbs

MD5 449e9b99e79d978faeb4ea9d9dc002e8
SHA1 df31d59a34057b5c81dd75dcb00db2769810cf08
SHA256 576519056be9a4b8d2911fe3aeafd72f10e0accf08551a9e7f76d119d547675a
SHA512 de0653c319098321cd3401e637b0c3aecff42e627a64298be0a60211baf5fb4a05ab2619c63f073502f7e81871113c5ed278f55dacada438b27ac5d0d0eb1f20

memory/1740-856-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

memory/544-877-0x0000000000FD0000-0x00000000014C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4a677a3f-2ca9-4e68-8348-2ece52d293d8.vbs

MD5 b1b323a475c9afc41ca4985a94636449
SHA1 0fa05d2ed088dddaa2ca1484881ae9bba51a49ce
SHA256 15e59ecf287c710faf0488b4dbdb7b8f715751e41f800cd433235cee5fc79a67
SHA512 4f386c0bbeb5190d268da23040221c1d7ad7cac60ca644ae4a7ed536a67f79ff3be58b7366868bc99f86820ab76ed263f2a419b2be7ca1b3239ad9a595ecc223

memory/2124-901-0x00000000010D0000-0x00000000015C4000-memory.dmp

memory/940-932-0x00000000013E0000-0x00000000018D4000-memory.dmp

memory/3528-952-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/3536-953-0x0000000000590000-0x00000000005A2000-memory.dmp

memory/3108-973-0x0000000000310000-0x0000000000804000-memory.dmp

memory/1656-984-0x0000000000FE0000-0x00000000014D4000-memory.dmp

memory/1656-985-0x0000000000C90000-0x0000000000CA2000-memory.dmp

memory/3988-1006-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3e575393-f82b-4ad6-856d-57b9d3a61a86.vbs

MD5 c5d33614fdb3b45208edbb5aac6bbca6
SHA1 aa916221cf31f36a965ef54936b0b3b3ed8129df
SHA256 6ea0433240069c3e24185ac868c201ab90cc14972acfedd544b5649bae7aba9b
SHA512 a72c101165f88e382342d6f97cf849369c4f9008e179ac66e96b29457e6647fec30a1054d61652977251c889d27b4f0157251eccef584493336c7467491d6e6e

memory/3812-1047-0x0000000000C90000-0x0000000000CA2000-memory.dmp

memory/3908-1058-0x0000000000CD0000-0x00000000011C4000-memory.dmp

memory/3396-1069-0x0000000000320000-0x0000000000814000-memory.dmp

memory/1376-1080-0x0000000000330000-0x0000000000824000-memory.dmp

memory/1848-1097-0x0000000000980000-0x0000000000E74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e1bcc459-671b-493c-bd8f-e919ec3b6fe1.vbs

MD5 4aefb45cb8bc0f1eaf3bc20668c767f7
SHA1 d4d304f182280e0b46099ec73e3f2a7b20205311
SHA256 b73756e4840ab5bf14dd184f0e342640fb2545238c18d521c75382a95aeaf53d
SHA512 3b4221986a502d950860aac516a55f1306e9a068a642f955e5428ddd6ef6f4b5a012e5fb5af4efde270795e254d25c7c730d5df3cf2a2e47d596b5be66c02f43

memory/2552-1108-0x0000000001100000-0x00000000015F4000-memory.dmp

memory/3452-1119-0x00000000001E0000-0x00000000006D4000-memory.dmp

memory/3896-1140-0x0000000000620000-0x0000000000632000-memory.dmp

memory/3640-1161-0x0000000000340000-0x0000000000834000-memory.dmp

memory/3640-1162-0x0000000000330000-0x0000000000342000-memory.dmp

memory/3756-1173-0x0000000000B10000-0x0000000001004000-memory.dmp

memory/3404-1184-0x0000000000B90000-0x0000000001084000-memory.dmp

memory/2564-1195-0x0000000001300000-0x00000000017F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\428da52a-3604-470b-b057-5902eaa13993.vbs

MD5 ba0ff6f13c21f3d9e7b742fad4c96eac
SHA1 0d9249a83be2753bcc518422087673a007ed6b67
SHA256 0b774dfe76f32e4ac4473c4525f5847e888ccac51ce0d95b452492c74d46c049
SHA512 4985f4124a7ac792febb0385eea67155f452f454907cce1b0e7da3ab5b7907555dfe72d7378e23d3f2ec55df5861d4df561f446be5af3c0430bcb2829e7f24f6

memory/2720-1266-0x0000000001360000-0x0000000001854000-memory.dmp

memory/3184-1277-0x0000000000160000-0x0000000000654000-memory.dmp

memory/3200-1288-0x0000000000110000-0x0000000000604000-memory.dmp

memory/3456-1289-0x00000000012F0000-0x00000000017E4000-memory.dmp

memory/1352-1305-0x00000000012E0000-0x00000000017D4000-memory.dmp

memory/2388-1316-0x00000000012D0000-0x00000000012E2000-memory.dmp

memory/1792-1387-0x00000000004A0000-0x00000000004B2000-memory.dmp