Malware Analysis Report

2024-10-19 02:01

Sample ID 241014-f23zkazdqd
Target 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN
SHA256 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154b
Tags
dcrat evasion execution infostealer rat trojan colibri build1 discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154b

Threat Level: Known bad

The file 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan colibri build1 discovery loader

Process spawned unexpected child process

Colibri Loader

DcRat

UAC bypass

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

System policy modification

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 05:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 05:22

Reported

2024-10-14 05:25

Platform

win7-20240903-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows NT\Accessories\fr-FR\winlogon.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files\Windows NT\Accessories\fr-FR\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\dwm.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXAC54.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\fr-FR\RCX932D.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\fr-FR\winlogon.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\RCXAE58.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\audiodg.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\RCX9BAA.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\audiodg.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0b1ac2d643d50b C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\RCXAA50.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\dwm.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Panther\taskhost.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Windows\Panther\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Windows\Panther\RCXB260.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Windows\Panther\taskhost.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
PID 2964 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
PID 2964 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
PID 2596 wrote to memory of 2488 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe
PID 2596 wrote to memory of 2488 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe
PID 2596 wrote to memory of 2488 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe
PID 2596 wrote to memory of 2648 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe
PID 2596 wrote to memory of 2648 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe
PID 2596 wrote to memory of 2648 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2088 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
PID 2488 wrote to memory of 2088 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
PID 2488 wrote to memory of 2088 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
PID 2580 wrote to memory of 2248 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
PID 2580 wrote to memory of 2248 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
PID 2580 wrote to memory of 2248 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
PID 2248 wrote to memory of 3028 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe
PID 2248 wrote to memory of 3028 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe
PID 2248 wrote to memory of 3028 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe
PID 2248 wrote to memory of 1544 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe
PID 2248 wrote to memory of 1544 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe
PID 2248 wrote to memory of 1544 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe
PID 3028 wrote to memory of 1576 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
PID 3028 wrote to memory of 1576 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
PID 3028 wrote to memory of 1576 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
PID 1576 wrote to memory of 1732 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe
PID 1576 wrote to memory of 1732 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe
PID 1576 wrote to memory of 1732 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe
PID 1576 wrote to memory of 2872 N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe

"C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN7" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN7" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Panther\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\taskhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2385680d-a413-42b1-9614-119b70f603f8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68f5091f-a8b2-4701-b4f7-743b164939d7.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5dec602-b972-4e5b-9b4f-5bd4770e4b32.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aadb6d3-7016-45a4-a889-7bd140d2da74.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42019158-49b2-4fec-84d3-f2b8c53a555e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6762dba-3ac3-4683-8955-188ce893393f.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11f27b04-cfa0-4351-8eb9-537e97ea01ac.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bcc2d6f-4a61-481e-a31f-883b482e8af9.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4452ee3b-790f-40b0-b5df-66143467e2c1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff485ba0-4b2c-4b3e-83f9-26017f8482cf.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb24eb54-11d2-411e-be8b-59965f1cc6fa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\929edbf2-26a3-47b5-b47b-4bfcffbbacc5.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bba0873c-a788-4649-a88d-fd299266a00b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccbc0e89-851c-4cd1-9c80-71beac683c4f.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2de27d9a-7336-4734-82fe-a4e4a42f3bc1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\957c9c55-8beb-44e9-bfc4-1295228ec861.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce638e2a-0067-4e59-bb11-bfbc6da01721.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c4ca29c-db96-420d-9cfd-db11bc8b7808.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f314130-28a4-4608-9c80-1592dd575a65.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b05f002-e642-429d-b8fd-0b7355a486cd.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85cb747e-e847-4cb1-a194-3eac04a29834.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b60ca5f1-5b11-43db-9cc3-95ba87698750.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp

Files

memory/2964-0-0x000007FEF5CF3000-0x000007FEF5CF4000-memory.dmp

memory/2964-1-0x0000000001160000-0x0000000001654000-memory.dmp

memory/2964-2-0x000000001B580000-0x000000001B6AE000-memory.dmp

memory/2964-3-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2964-4-0x00000000003A0000-0x00000000003BC000-memory.dmp

memory/2964-5-0x00000000003C0000-0x00000000003C8000-memory.dmp

memory/2964-6-0x00000000003D0000-0x00000000003E0000-memory.dmp

memory/2964-8-0x00000000003E0000-0x00000000003F0000-memory.dmp

memory/2964-7-0x00000000006F0000-0x0000000000706000-memory.dmp

memory/2964-9-0x0000000000710000-0x000000000071A000-memory.dmp

memory/2964-10-0x0000000000720000-0x0000000000732000-memory.dmp

memory/2964-13-0x0000000000B60000-0x0000000000B6E000-memory.dmp

memory/2964-16-0x0000000000E10000-0x0000000000E1C000-memory.dmp

memory/2964-15-0x0000000000E00000-0x0000000000E08000-memory.dmp

memory/2964-14-0x0000000000D70000-0x0000000000D78000-memory.dmp

memory/2964-12-0x0000000000B50000-0x0000000000B5E000-memory.dmp

memory/2964-11-0x0000000000730000-0x000000000073A000-memory.dmp

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe

MD5 028bdc90907407e6347ed647ec3a4520
SHA1 a4666b332fa2086a2367fca57e8f8516f661703f
SHA256 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154b
SHA512 a98b624d5a480fe88d23a0c11f52bf16c9f7631d1f0a4d8eb1255b1da325c8a78b997b75c43d79c6b16a1d9b6704315b931eba826ee0266487b099244a2a852e

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RCXA83D.tmp

MD5 a9fb675ae8af51d9bf73d6c505d50884
SHA1 49fc5ad4863e6579b7197a8ba7370db2995a1650
SHA256 6815e7af0b18f78a3ee0a6ef89984b92e6c57cc27e321c0c43dc7ab655eae965
SHA512 57d0db1a0087b898f494bff4f0b2e449981ea7e4171f307d9f69e6a07a1ab59f58984d485172592f40766bc767dab8bb21b76b866d895c5c2e3d8858ff530956

memory/2964-154-0x000007FEF5CF3000-0x000007FEF5CF4000-memory.dmp

memory/2964-168-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 610a8f4a21c4317f98fd53c880d8118d
SHA1 9a6a06bb807eaa8c0a20e4eb6102c25e001367ff
SHA256 5320f5f97a4bfa555893361656f1a75322aedb14a8a81b47561cf6dc3d4602cc
SHA512 e88c4baac763792d20dfacdec10dacaa91ba245a4aa35b44802d7644cc124698064de84da3671284945e5e83ac53ac42b131284c05ecc276a2ab5e1f320e5370

memory/1060-183-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

memory/1060-185-0x00000000027E0000-0x00000000027E8000-memory.dmp

memory/2964-187-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\2385680d-a413-42b1-9614-119b70f603f8.vbs

MD5 0b8da6a5b3330cf6e60ab67032386ed9
SHA1 9f5cbb39a6087b6c439cba44d36c94678eae1d1c
SHA256 3f1563d44d176885f01824bc06823e15af07314fb5fce8d639e76847123da878
SHA512 c689e80fd688e506275a9eeb8b4081c89ea689f30cc2ab1287e22eee29b5dae4cda546a26a47d1400b2947cc511432e60501a2b9755c83a2c555a1194c5a9668

C:\Users\Admin\AppData\Local\Temp\68f5091f-a8b2-4701-b4f7-743b164939d7.vbs

MD5 a1687cf85a6b2ecf0e4d54558759a0d1
SHA1 923e06fa335ce0dbb455000161e0ef5b68950a99
SHA256 89acdeb61c597f6df3e6b2be4ab1a849bf2c6753ddd7301369e635ee02338721
SHA512 a93e438836377306a13b4749df71a1cb080e0e56c788969e50c2ff44d2930f1894caea56bd314fbb1a9102f8a2b41d5da26ec089c7ab666f2bda88b32c112c34

C:\Users\Admin\AppData\Local\Temp\tmpC1F8.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/2248-249-0x00000000013A0000-0x0000000001894000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\42019158-49b2-4fec-84d3-f2b8c53a555e.vbs

MD5 211c36e98d45a06fcad6e58779c618f2
SHA1 648df55dd41f43be544a7922dcad4b7bd9e8c277
SHA256 607cd5d73e79e94c6a4fa472c1b36d8c6c03e3d64a9919885f0a3dc392bb4781
SHA512 01a07222ccab0c4bb70ce8c15560738108ee6d28ba14e6980ceb1dd025a67b624fef27ec81fbb095f4e76671073ee678c80a93a5c2cd0c5075915f43409e2670

C:\Users\Admin\AppData\Local\Temp\11f27b04-cfa0-4351-8eb9-537e97ea01ac.vbs

MD5 0cae0ec1d7ad4342d3ef28265b45de01
SHA1 f304a3279565ff006f7f0c1567ccdd597dc7484d
SHA256 73bbe9f1f82e531e154e8de8673bac0408a0f3f5d7e15a93df58a7facd4cf897
SHA512 2549dec5e30214c12369cda1312f575231487bc28870baf04e4c8851fa848c4246e2b72a70e7a26c0edb9163b740af5b9510e5772297086cee6ecddbc542972b

C:\Users\Admin\AppData\Local\Temp\4452ee3b-790f-40b0-b5df-66143467e2c1.vbs

MD5 d72cf0dfce1fd47111a1f069db611b83
SHA1 7bdadf07343c5013346e3e06966f8e5f442b2b2a
SHA256 222f5898d0a1ab68747e817653e76a7b7f8d6db028890c34a847a2f53dd482a8
SHA512 efdd9e4fbef59ea0ab2b0e54acc0782b13c76e8a4246edbc7ebc16dee05a9cb951ef7431b3d510715f8b81177a06169842db9a4f0c3b2edd55d2c48cf188a330

memory/2396-292-0x0000000000080000-0x0000000000574000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bb24eb54-11d2-411e-be8b-59965f1cc6fa.vbs

MD5 9aa18baacb6820a6e168aaffa039c573
SHA1 0f160045e784f087dc73e053b9920b8a5893d930
SHA256 40ef7e21d1b8b6fdc4ef3afe782a27d651e7ac3d50e8dde7493111c6d2f091b8
SHA512 6d3694103c1f1af0c4b5d0aebfe2f4f3d75f922f06f23af999de4afe25da96c139b5cc23baea0e7a35398d4ffe9660aa7ec76a598268a675d5b1ff7e2927e917

memory/316-307-0x00000000003E0000-0x00000000008D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bba0873c-a788-4649-a88d-fd299266a00b.vbs

MD5 935970144620e4b3b727983f700826d1
SHA1 33ca654fe8e80275cb4913ea8810e18b7d4de612
SHA256 e18b5aaf5bf921e7c24b1545347c986d86674b8bae62eeb476aa0c912b94f3d2
SHA512 4242c22675a2e2675739d36e529ff5b095e61b8568a83d3c167bb92acb1325f1a54c14c3be07ad0f4ad6f41893b00879b297b6df22a42abbd14a88698e828dad

memory/1036-322-0x0000000000FD0000-0x00000000014C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2de27d9a-7336-4734-82fe-a4e4a42f3bc1.vbs

MD5 bb1904cd3c1c80e808a6704adf8f5281
SHA1 613c5040e6af6b9c4295315e0bda282d63eb73d7
SHA256 5423ddafde261e0b47d5a0741dcba838650c6038f4d70307afbe3896fdd885bb
SHA512 2dfc594fd50c964c8a53446e5c26a57c4fdc82a63d072cf4e21cbf48214655497e6c554afec1ae9ea6c10922e924611a833f5498ade928a6c800f55b7d670e33

memory/2756-337-0x00000000002B0000-0x00000000007A4000-memory.dmp

memory/2756-338-0x0000000000880000-0x0000000000892000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ce638e2a-0067-4e59-bb11-bfbc6da01721.vbs

MD5 481a6c55cc88d4c63bfc6b16c3f77da9
SHA1 9ee9efac0512761d1895efdc195e3622d876777f
SHA256 3128acd499379b89ecf92267a436899476dced49b681d4d2e93409bcd0060f94
SHA512 bdef9aaa23a525694c6ca19880c9c87f3766945c2a181b488d5703a07d17064a2ddd12db6071df18397e270b5fa755bfcab142ceb39391a05400ddf9f93e5319

memory/704-353-0x0000000001350000-0x0000000001844000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1f314130-28a4-4608-9c80-1592dd575a65.vbs

MD5 03f5b8e1f9a8dcdea04ec42c02666c6b
SHA1 2391c9b20bd3eeb2e0bd87ba498af931e5a5bf2d
SHA256 5f8fc5daff78c1ee87cbd8234aadd55dc614b40f4074546fff7a31430e2d05e8
SHA512 d1bde5e3b9e1ec248ebaa9a34b2996c7a0adef3a68902fb705546339afa76b639e31aef9bb4b97d61b7a10078bcc9afe7c1800f4376edbec0d4125658f8cd185

C:\Users\Admin\AppData\Local\Temp\85cb747e-e847-4cb1-a194-3eac04a29834.vbs

MD5 02e9bf9f3b78db8eb44cb966cac672fa
SHA1 473fa3057293e78f6215494ab7c97c237b969947
SHA256 05ea148c5b9f3b0e2c029576665ea161c987fa484a79673917fda934ee3fe176
SHA512 4c19d889da22595a9ad497d28cf7e744579085a9e1ad422efc621cb8cd0b1c7ad1d01f9189c87595ed769b2d6542e3e449577b336d66a3ef4fe09d6f4d9dfde0

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-14 05:22

Reported

2024-10-14 05:25

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe"

Signatures

Colibri Loader

loader colibri

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5B89.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5B89.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8B72.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8B72.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB9C6.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB9C6.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF0C4.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF0C4.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5172.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5172.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8207.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8207.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9D5F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9D5F.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpEAF3.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpEAF3.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3732 set thread context of 3908 N/A C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe
PID 892 set thread context of 956 N/A C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe
PID 5088 set thread context of 4472 N/A C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe
PID 2348 set thread context of 1280 N/A C:\Users\Admin\AppData\Local\Temp\tmp5B89.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp5B89.tmp.exe
PID 3448 set thread context of 3056 N/A C:\Users\Admin\AppData\Local\Temp\tmp8B72.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8B72.tmp.exe
PID 1772 set thread context of 4624 N/A C:\Users\Admin\AppData\Local\Temp\tmpB9C6.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB9C6.tmp.exe
PID 3636 set thread context of 2792 N/A C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe
PID 4112 set thread context of 3180 N/A C:\Users\Admin\AppData\Local\Temp\tmpF0C4.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpF0C4.tmp.exe
PID 4084 set thread context of 3820 N/A C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe
PID 2792 set thread context of 2052 N/A C:\Users\Admin\AppData\Local\Temp\tmp5172.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp5172.tmp.exe
PID 1252 set thread context of 4804 N/A C:\Users\Admin\AppData\Local\Temp\tmp8207.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8207.tmp.exe
PID 3848 set thread context of 4720 N/A C:\Users\Admin\AppData\Local\Temp\tmp9D5F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9D5F.tmp.exe
PID 1780 set thread context of 1896 N/A C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe
PID 4912 set thread context of 3532 N/A C:\Users\Admin\AppData\Local\Temp\tmpEAF3.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpEAF3.tmp.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Mail\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\dwm.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\RCXC19F.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files\Windows Security\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files\Windows Mail\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files\Windows Security\RCXBAB6.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files\Windows Mail\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXCF03.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files\Windows Security\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files\7-Zip\Lang\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\Registry.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RCXC635.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files\Windows Security\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files\7-Zip\Lang\Registry.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\dwm.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files\Windows Mail\RCXCCEF.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Media\Sonata\csrss.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Windows\L2Schemas\Idle.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Windows\Media\Sonata\RCXD81F.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Windows\Media\Sonata\csrss.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Windows\ServiceState\SEMgrSvc\Data\sysmon.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Windows\L2Schemas\Idle.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Windows\L2Schemas\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Windows\Media\Sonata\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Windows\L2Schemas\RCXD185.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9D5F.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpEAF3.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB9C6.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8207.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpF0C4.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp5B89.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8B72.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp5172.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe
PID 2412 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe
PID 2412 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe
PID 3732 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe
PID 3732 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe
PID 3732 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe
PID 3732 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe
PID 3732 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe
PID 3732 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe
PID 3732 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe
PID 2412 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\cmd.exe
PID 2412 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\cmd.exe
PID 3172 wrote to memory of 568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3172 wrote to memory of 568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3172 wrote to memory of 4716 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe
PID 3172 wrote to memory of 4716 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe
PID 4716 wrote to memory of 1556 N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Windows\System32\WScript.exe
PID 4716 wrote to memory of 1556 N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Windows\System32\WScript.exe
PID 4716 wrote to memory of 3936 N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Windows\System32\WScript.exe
PID 4716 wrote to memory of 3936 N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Windows\System32\WScript.exe
PID 4716 wrote to memory of 892 N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe
PID 4716 wrote to memory of 892 N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe
PID 4716 wrote to memory of 892 N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe
PID 892 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe
PID 892 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe
PID 892 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe
PID 892 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe
PID 892 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe
PID 892 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe
PID 892 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe
PID 1556 wrote to memory of 3944 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe
PID 1556 wrote to memory of 3944 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe
PID 3944 wrote to memory of 1612 N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 1612 N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 1956 N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 1956 N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 5088 N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe
PID 3944 wrote to memory of 5088 N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe
PID 3944 wrote to memory of 5088 N/A C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe
PID 5088 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe
PID 5088 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe
PID 5088 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe

"C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Pictures\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\Pictures\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Pictures\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Temp\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Sonata\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Media\Sonata\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Sonata\csrss.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gIs0BZ0kRQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a8787b8-388e-4af3-8338-915e70aabe0a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e013e806-1484-4989-a52e-151653aa297f.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3abf6c4-8980-46b0-b33e-105781fc263d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a02600fd-e831-4e6a-be81-5399ebae31da.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c447d91-e929-424b-bdca-65bb693e57a6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daf2fed0-d545-4d5f-be6e-332d387dca02.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp5B89.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5B89.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp5B89.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5B89.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\648d6337-d433-427f-9994-e63c897d4118.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53de6aae-eb70-4b66-9e1c-cc2191c63b0e.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp8B72.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8B72.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8B72.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8B72.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\088aa34f-6c9d-4f57-bb04-7eaab1df9bce.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2f8794e-a669-47d2-935f-ab35264b613f.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpB9C6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB9C6.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpB9C6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB9C6.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f66b5e8-99f3-465d-9b50-3fed43676c36.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f3d6b0d-64fb-467a-af5b-40bd4adee15b.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD5F8.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b9a3f0b-0689-4243-8f6f-0088f209b745.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44a8ac9e-7323-41a6-8774-bd75bbc72f84.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpF0C4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF0C4.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpF0C4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF0C4.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b65ef64-7149-4fd3-ad7d-f19441c06d84.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b1bd83f-0fab-4e53-9b7c-4091ba59d7f2.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp20BD.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a236869-731b-4930-ab15-683f9a64069b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db403960-4c76-449c-8d19-0eb1a4976926.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp5172.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5172.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp5172.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5172.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\383a00f2-bc0c-49de-a8ba-2a0eb5fb550e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0934eac-1c6c-4e2e-b9f9-d400a8b1a547.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp8207.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8207.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8207.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8207.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0532af16-57b7-4f31-a747-8605c7c7df68.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5d8d9df-a2f4-43c9-84bc-daefa5784ba1.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp9D5F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9D5F.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp9D5F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9D5F.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1262d666-1894-4af5-8307-b2bb2cee90fc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22584939-b13f-4e58-b0ea-7fa62d68bc34.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB9E0.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c1ee020-e308-4c1f-b3d1-10f6acf54922.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\390414c6-e573-4e87-8c71-5b13c5f395d0.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpEAF3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpEAF3.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpEAF3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpEAF3.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

"C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 200.186.67.172.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp

Files

memory/2412-0-0x00007FFE161D3000-0x00007FFE161D5000-memory.dmp

memory/2412-1-0x0000000000720000-0x0000000000C14000-memory.dmp

memory/2412-2-0x000000001BA50000-0x000000001BB7E000-memory.dmp

memory/2412-3-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

memory/2412-7-0x0000000002D90000-0x0000000002DA0000-memory.dmp

memory/2412-6-0x0000000002D80000-0x0000000002D88000-memory.dmp

memory/2412-5-0x000000001BB80000-0x000000001BBD0000-memory.dmp

memory/2412-4-0x0000000002D60000-0x0000000002D7C000-memory.dmp

memory/2412-10-0x000000001B9C0000-0x000000001B9CA000-memory.dmp

memory/2412-9-0x000000001B9B0000-0x000000001B9C0000-memory.dmp

memory/2412-8-0x0000000002DA0000-0x0000000002DB6000-memory.dmp

memory/2412-11-0x000000001B9D0000-0x000000001B9E2000-memory.dmp

memory/2412-12-0x000000001C720000-0x000000001CC48000-memory.dmp

memory/2412-15-0x000000001BA00000-0x000000001BA0E000-memory.dmp

memory/2412-14-0x000000001B9F0000-0x000000001B9FE000-memory.dmp

memory/2412-13-0x000000001B9E0000-0x000000001B9EA000-memory.dmp

memory/2412-18-0x000000001BA30000-0x000000001BA3C000-memory.dmp

memory/2412-17-0x000000001BA20000-0x000000001BA28000-memory.dmp

memory/2412-16-0x000000001BA10000-0x000000001BA18000-memory.dmp

C:\Recovery\WindowsRE\TextInputHost.exe

MD5 028bdc90907407e6347ed647ec3a4520
SHA1 a4666b332fa2086a2367fca57e8f8516f661703f
SHA256 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154b
SHA512 a98b624d5a480fe88d23a0c11f52bf16c9f7631d1f0a4d8eb1255b1da325c8a78b997b75c43d79c6b16a1d9b6704315b931eba826ee0266487b099244a2a852e

C:\Users\Admin\AppData\Local\Temp\tmpBF4C.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/3908-79-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Recovery\WindowsRE\winlogon.exe

MD5 363b517614376666de0f9ee3dd87a0b0
SHA1 fc7cb033406413ac578d4b7d44653974dba2c7cc
SHA256 53d859b1d4ccb0fe1117fd724762a9b74180f4313deffa5058342f8988e70328
SHA512 feb709e9c01352a378ff682ad74b279e950def493bf1b8ccebfa71304559d38780865be92d0386f228df43718d3b03fc23cd4cbea111b870acd1b25aec3b31d9

memory/2412-147-0x00007FFE161D3000-0x00007FFE161D5000-memory.dmp

memory/2412-160-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_grw005wi.qif.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4140-179-0x0000022032840000-0x0000022032862000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gIs0BZ0kRQ.bat

MD5 a277008f02f36ea2c85c8c20027ea791
SHA1 ba813e4c152b37b4545d1dfd7ad71b1c1f59f214
SHA256 d1feb225176374192e13bd7aebf877956161d839d937c5ffd59a1b1eec3d6f4f
SHA512 4a296304fd830000c7f5172eb0a6d35125bafa97ef32051cafc0792792a26de2db32b3e5a08bbc81223273d1a9de43769d7d288310a40abf1e55cc8357c49d12

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c47b3f4e68eebd47e9332eebfd2dd4e
SHA1 67f0b143336d7db7b281ed3de5e877fa87261834
SHA256 8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA512 0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 76c3d774eea65dc4afc47c9850cf83be
SHA1 28a60136ad0ac48a07f280f9abb9f3e33e5e2033
SHA256 8eb8184fab9806d379cfe52b9117a055eed72d1bd17044f8369c44842b18134c
SHA512 49a72caf489b36fabcb6a10a6360397ccb1a3b56168dd4a2fca21ee5cdaab8f41274713194ca25c14e7390e85fec5b49d01dcf257932ebbf3619d08272ad7cdf

C:\Users\Admin\AppData\Local\Temp\8a8787b8-388e-4af3-8338-915e70aabe0a.vbs

MD5 c4f0fbc293fcf1d97fa17db31202f8bc
SHA1 160d89779b9a3244b802394d9f71c3ff981fa841
SHA256 f0ba9b8a758cc25f4948b7af0442ebef816cb00e7702e1bc4aae54e45d586c02
SHA512 34383d287828ba418ff2e4084b01bf759ded1a8508c5b0f27a551be4828ec0a143f0743bb5f7a15223260b20a85ad1e813b5dd4cc67139328a23987c9417b21a

C:\Users\Admin\AppData\Local\Temp\e013e806-1484-4989-a52e-151653aa297f.vbs

MD5 4a05e07a308de6f6fc9e0e24c32b184a
SHA1 b88f3fd45e46424464f80a4141d7c2a73c802c97
SHA256 118e5d4bf4aca5995424eb9d865ce6809a5ef04f0a51ce6d52de7a36f4863e20
SHA512 f52cb6b07be9c44be4f8bfaa899500b24d883760b57b0b08a4cd2a356978739568a888d13c7ba3948bee760480a0a80f47ab662874a2bb041b15622daf51de2e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

memory/3944-310-0x0000000002AD0000-0x0000000002AE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b3abf6c4-8980-46b0-b33e-105781fc263d.vbs

MD5 327cbd66b15036027064ac2040362525
SHA1 d83fee77127440942daee9d3f880119285c102b1
SHA256 b05820bae62739bc0b73842ebf66b2c92b1ccea74f225f81662782a9475e9cdb
SHA512 b0e62ddd67561708e92e3687c7b98b78c2bb2ba7d7eeb070c2a8badc9bee909d8264b2ebf6d66f641702724c31e6cabe83904797c22d99fa2d5d1a769f7294eb

C:\Users\Admin\AppData\Local\Temp\4c447d91-e929-424b-bdca-65bb693e57a6.vbs

MD5 62e2e807d6b0880b84abc4c563f305f2
SHA1 b7079be3e5e3436b91adea82343886c24c24af7e
SHA256 cd3a6a78941f0ed06271cd86e9197c93eb7e0a6b8ce060cdda2242f541c45789
SHA512 7b56f3f51284b846288f365e472de007a3c5f60540049c8e067d8477ad0410cf1819a1c6d8d732db151cebb6b09134dd617889161af9bfa8787c431edd052947

memory/1060-357-0x000000001C0E0000-0x000000001C0F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b4755bd2710fc18d967eced899ef82e2d75fbf1a.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\648d6337-d433-427f-9994-e63c897d4118.vbs

MD5 b8700de41328f59c271fbf62f87eb701
SHA1 8f2d78ed51d72ba5ae4c8ec3c6d7f9dbb6ba88f2
SHA256 eeada2a27ae8b721a4216915d8ac9affbc84b80ba5842b461e886e045643364f
SHA512 03ea30c3647bc152735f6daaf8ee410f3388c66c7709d2b092cd392b2232798c0d9ba0e5b8d2d8c73f7efc68105de2818cd8087fe23543515b1a123a8eae871d

C:\Users\Admin\AppData\Local\Temp\088aa34f-6c9d-4f57-bb04-7eaab1df9bce.vbs

MD5 8bc4188570283daedc6a3409c6128f0d
SHA1 771fc2ddb8b937a2c7ed346c67fe714f793c4dd7
SHA256 53db82b9a8ed91772bb7ee571dc5abdb5271c237d93593c59656c313139a1fd0
SHA512 ab820e98e9bb629aed0a138347e61ef6a08e1fe13e73d967cb8e60e8b428aa3ef3fb7c5dd8deeb5dbb79cc43b95721ab644ce815c9cba8d35f5df0359a909963

C:\Users\Admin\AppData\Local\Temp\4f66b5e8-99f3-465d-9b50-3fed43676c36.vbs

MD5 4702e821e65a63e684699d8ebf804fdf
SHA1 48d0ab0a401bd3e86048a85b326ad124ad8e9530
SHA256 e11dbdfdc3afd9b5fae1546f06ab750005a516f36102970fa13fa84c8d64aec8
SHA512 16744d0e108668c940144bac76367694f7cf69aa679efcc1839a6d2974b5462c991863948d9a1e49e67cd78f5e0337d3ac854e24794f5ee4b8abbc38f60c0464

C:\Users\Admin\AppData\Local\Temp\5b9a3f0b-0689-4243-8f6f-0088f209b745.vbs

MD5 d97524b1d77da4a395f5228839be3ea4
SHA1 ef739c1ce4c156241e9d21af216c9e557224916c
SHA256 3b77b7aab3c3804491eb299f76f75b9c188bb8c3d339d0804f1ba69a69a6f647
SHA512 a0920502a319879ccb42ed1dcb873f108daae2a5f8645292dc5125a47ae478282f3b9885273846b8d47b69c1efdf8d10b4a1a7387b9e853b6e002048defa340f