Malware Analysis Report

2024-10-19 02:01

Sample ID 241014-fwed1szclc
Target 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN
SHA256 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154b
Tags
colibri dcrat build1 discovery evasion execution infostealer loader rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154b

Threat Level: Known bad

The file 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN was found to be: Known bad.

Malicious Activity Summary

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

DcRat

UAC bypass

Colibri Loader

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

System policy modification

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 05:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-14 05:13

Reported

2024-10-14 05:15

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe"

Signatures

Colibri Loader

loader colibri

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3FD3.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3FD3.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5D4E.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5D4E.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8ECE.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8ECE.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBDEC.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBDEC.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpEF7C.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpEF7C.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBCE.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBCE.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3C15.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3C15.tmp.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6C6C.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6C6C.tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2868 set thread context of 2852 N/A C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe
PID 3612 set thread context of 1740 N/A C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe
PID 1896 set thread context of 3956 N/A C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe
PID 3596 set thread context of 5072 N/A C:\Users\Admin\AppData\Local\Temp\tmp3FD3.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp3FD3.tmp.exe
PID 1864 set thread context of 3140 N/A C:\Users\Admin\AppData\Local\Temp\tmp5D4E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp5D4E.tmp.exe
PID 3300 set thread context of 452 N/A C:\Users\Admin\AppData\Local\Temp\tmp8ECE.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8ECE.tmp.exe
PID 1440 set thread context of 3864 N/A C:\Users\Admin\AppData\Local\Temp\tmpBDEC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBDEC.tmp.exe
PID 3060 set thread context of 5040 N/A C:\Users\Admin\AppData\Local\Temp\tmpEF7C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpEF7C.tmp.exe
PID 3644 set thread context of 4272 N/A C:\Users\Admin\AppData\Local\Temp\tmpBCE.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBCE.tmp.exe
PID 3428 set thread context of 5084 N/A C:\Users\Admin\AppData\Local\Temp\tmp3C15.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp3C15.tmp.exe
PID 2480 set thread context of 4072 N/A C:\Users\Admin\AppData\Local\Temp\tmp6C6C.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp6C6C.tmp.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files\Windows NT\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCXA2E8.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCXAB4A.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files\Windows NT\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files\Windows NT\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files\Windows NT\RCXAFD0.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Provisioning\Cosa\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Windows\Provisioning\Cosa\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Windows\Provisioning\Cosa\RCXA710.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Windows\Provisioning\Cosa\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp5D4E.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpBCE.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp3C15.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp6C6C.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpEF7C.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp3FD3.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8ECE.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpBDEC.tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe
PID 3060 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe
PID 3060 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe
PID 1772 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe
PID 1772 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe
PID 1772 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe
PID 2868 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe
PID 2868 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe
PID 2868 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe
PID 2868 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe
PID 2868 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe
PID 2868 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe
PID 2868 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe
PID 3060 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\cmd.exe
PID 3060 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\cmd.exe
PID 2548 wrote to memory of 208 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2548 wrote to memory of 208 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2548 wrote to memory of 3900 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe
PID 2548 wrote to memory of 3900 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe
PID 3900 wrote to memory of 4780 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe C:\Windows\System32\WScript.exe
PID 3900 wrote to memory of 4780 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe C:\Windows\System32\WScript.exe
PID 3900 wrote to memory of 2852 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe C:\Windows\System32\WScript.exe
PID 3900 wrote to memory of 2852 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe C:\Windows\System32\WScript.exe
PID 3900 wrote to memory of 3612 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe
PID 3900 wrote to memory of 3612 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe
PID 3900 wrote to memory of 3612 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe
PID 3612 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe
PID 3612 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe
PID 3612 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe
PID 3612 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe
PID 3612 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe
PID 3612 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe
PID 3612 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe
PID 4780 wrote to memory of 3788 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe
PID 4780 wrote to memory of 3788 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe
PID 3788 wrote to memory of 4436 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe C:\Windows\System32\WScript.exe
PID 3788 wrote to memory of 4436 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe C:\Windows\System32\WScript.exe
PID 3788 wrote to memory of 4492 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe C:\Windows\System32\WScript.exe
PID 3788 wrote to memory of 4492 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe C:\Windows\System32\WScript.exe
PID 4436 wrote to memory of 4072 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe
PID 4436 wrote to memory of 4072 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe
PID 4072 wrote to memory of 5076 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe

"C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\Provisioning\Cosa\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\Provisioning\Cosa\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Videos\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Videos\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows NT\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\unsecapp.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mtbJLPzJ4Q.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8018f030-b499-4e3c-bfda-bf27ceef042f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45d15278-4788-424b-9861-d5b3c228f5af.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD5BF.tmp.exe"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af41b22c-28b1-4b2e-b4b5-9f7c252f8beb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5caac2b3-ee67-4d81-9fc4-7cdb07b21ae4.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7d8d1d8-3e94-4854-9d78-56a239af94a5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56ec8a81-3be1-4f79-aa48-d1cd3afce490.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ff080e3-e934-4621-a9c7-81166907da41.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59464f18-7170-4495-96f2-64b8470bca4a.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp3FD3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3FD3.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp3FD3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3FD3.tmp.exe"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22451b95-8abc-4122-ba34-96b564c4b674.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86c52562-031d-4175-81b0-5f66a37192dc.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp5D4E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5D4E.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp5D4E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5D4E.tmp.exe"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e40d090-3fe7-4f11-816b-4602721a613f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ccf3ce4-2de6-4fd8-8b78-ae9768f456db.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp8ECE.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8ECE.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8ECE.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8ECE.tmp.exe"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd59b299-3946-416f-ab9c-408de5b05ab4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a78d9720-96d2-416b-9f98-66d323e35b67.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpBDEC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBDEC.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpBDEC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBDEC.tmp.exe"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caa872e9-e6ad-4a58-a5f0-410554067e97.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a56b50fa-81be-4282-85cf-7bf74fabf6b4.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpEF7C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpEF7C.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpEF7C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpEF7C.tmp.exe"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5d3ce7a-23c0-4349-a9da-55add088e23b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5699d0e9-fac2-4c4b-975f-afa65f4c693a.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpBCE.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBCE.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpBCE.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBCE.tmp.exe"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4b43992-c535-4d71-91d3-bceb6bacf646.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\036cb240-e079-4709-990f-48166ee64b3b.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp3C15.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3C15.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp3C15.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3C15.tmp.exe"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\upfc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a328bf9d-3e5e-415f-ba8f-b9b6894c0b6a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e6476b8-c122-4e08-a732-e3d5e83a2b7a.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp6C6C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6C6C.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp6C6C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6C6C.tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 200.186.67.172.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/3060-0-0x00007FFE43933000-0x00007FFE43935000-memory.dmp

memory/3060-1-0x0000000000FD0000-0x00000000014C4000-memory.dmp

memory/3060-2-0x000000001C480000-0x000000001C5AE000-memory.dmp

memory/3060-3-0x00007FFE43930000-0x00007FFE443F1000-memory.dmp

memory/3060-4-0x0000000003820000-0x000000000383C000-memory.dmp

memory/3060-8-0x0000000003860000-0x0000000003876000-memory.dmp

memory/3060-9-0x0000000003880000-0x0000000003890000-memory.dmp

memory/3060-7-0x0000000003850000-0x0000000003860000-memory.dmp

memory/3060-10-0x000000001C2B0000-0x000000001C2BA000-memory.dmp

memory/3060-6-0x0000000003840000-0x0000000003848000-memory.dmp

memory/3060-5-0x0000000003890000-0x00000000038E0000-memory.dmp

memory/3060-11-0x000000001C2C0000-0x000000001C2D2000-memory.dmp

memory/3060-12-0x000000001CFE0000-0x000000001D508000-memory.dmp

memory/3060-15-0x000000001C2F0000-0x000000001C2FE000-memory.dmp

memory/3060-14-0x000000001C2E0000-0x000000001C2EE000-memory.dmp

memory/3060-13-0x000000001C2D0000-0x000000001C2DA000-memory.dmp

memory/3060-18-0x000000001C320000-0x000000001C32C000-memory.dmp

memory/3060-17-0x000000001C310000-0x000000001C318000-memory.dmp

memory/3060-16-0x000000001C300000-0x000000001C308000-memory.dmp

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe

MD5 028bdc90907407e6347ed647ec3a4520
SHA1 a4666b332fa2086a2367fca57e8f8516f661703f
SHA256 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154b
SHA512 a98b624d5a480fe88d23a0c11f52bf16c9f7631d1f0a4d8eb1255b1da325c8a78b997b75c43d79c6b16a1d9b6704315b931eba826ee0266487b099244a2a852e

C:\Users\Admin\AppData\Local\Temp\tmpA77F.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/2852-69-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3060-103-0x00007FFE43930000-0x00007FFE443F1000-memory.dmp

memory/5020-109-0x0000029924990000-0x00000299249B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mvic0grl.2tw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\mtbJLPzJ4Q.bat

MD5 52e4d140716658591bb31cf4364eeef7
SHA1 493b14b10de396e686bf73c1b736e9a937b5ed87
SHA256 85c5328d6fe5ff9aa20dac68ad602af869e31ede91b0d5e0b2c0c576c9abf2e2
SHA512 a5d5b16677717bab75eae25056b90fc41e4f305dae2fe8438b7df414c8b136906b3ece4d01078a77fdf971013aabcb7ab2a4ff31fc2645b35458d4ff04abe2c5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/5020-213-0x0000029924C30000-0x0000029924D9A000-memory.dmp

memory/2508-215-0x000001A7F5B70000-0x000001A7F5CDA000-memory.dmp

memory/3616-216-0x00000221FC050000-0x00000221FC19E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

memory/2244-221-0x000001B477330000-0x000001B47749A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

memory/4516-241-0x0000016DE61D0000-0x0000016DE633A000-memory.dmp

memory/1464-249-0x00000260FA030000-0x00000260FA19A000-memory.dmp

memory/1464-248-0x00000260F9CE0000-0x00000260F9E2E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/1864-245-0x000001E9EBBC0000-0x000001E9EBD2A000-memory.dmp

memory/1864-244-0x000001E9EB970000-0x000001E9EBABE000-memory.dmp

memory/4516-240-0x0000016DE6080000-0x0000016DE61CE000-memory.dmp

memory/1860-239-0x000001FDFB000000-0x000001FDFB16A000-memory.dmp

memory/1860-238-0x000001FDFAD80000-0x000001FDFAECE000-memory.dmp

memory/4508-237-0x00000246618E0000-0x0000024661A4A000-memory.dmp

memory/4508-236-0x0000024661790000-0x00000246618DE000-memory.dmp

memory/4580-229-0x00000142E6A50000-0x00000142E6BBA000-memory.dmp

memory/4580-228-0x00000142E6900000-0x00000142E6A4E000-memory.dmp

memory/3732-227-0x000002BA635A0000-0x000002BA6370A000-memory.dmp

memory/3732-226-0x000002BA63450000-0x000002BA6359E000-memory.dmp

memory/2244-220-0x000001B4770B0000-0x000001B4771FE000-memory.dmp

memory/2508-214-0x000001A7F5A20000-0x000001A7F5B6E000-memory.dmp

memory/3616-217-0x00000221FC1A0000-0x00000221FC30A000-memory.dmp

memory/5020-210-0x0000029924AE0000-0x0000029924C2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8018f030-b499-4e3c-bfda-bf27ceef042f.vbs

MD5 669cfbc0a7cc0f27b1eb893e4ce8dfea
SHA1 f2bda2242ca5b7a5d1ec688170fd529809bd753c
SHA256 bf216b600ab450aee096f8db2e9c3dc506c749ad126755dbec892f4225d45f23
SHA512 6f6b63dc3e831d484d6648608e1b683c752ade103397244e2b27f7070a0a460931997f3a522d46f208cd5c6c394cea98bdb804192876a193828b9dae37562d92

C:\Users\Admin\AppData\Local\Temp\45d15278-4788-424b-9861-d5b3c228f5af.vbs

MD5 e7b02f12245995c471e96a1419f014c0
SHA1 63d8558444cea343e12864cc4bed761ffc9653d7
SHA256 17862594762f640d5c8e0274ad9ffa4234ed97a13e33929109490e5f96427c5c
SHA512 5b72f20f8be6b79452f89a981addcedc947f4ba8bc274a41d45ed4c18ee56d0c14d392ab39aaf0876ec792ae5160de376783da05ad2820335348b39b5d9d858b

memory/3900-275-0x000000001CA50000-0x000000001CB52000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\af41b22c-28b1-4b2e-b4b5-9f7c252f8beb.vbs

MD5 ca0f79db091df48df7848218e056a101
SHA1 a5aca435f2895287f36e19171fbb187e702f8fc7
SHA256 3c35e839b5fda37c22baf32fbf30c2208583f84b89bacd976eeb3e5ba4d0ee1d
SHA512 b0e724326a2dc4ce821a94118c9899dab7e6cc3a460ead659395e80263dcf91a7b61c194b0b0aed0036da0a412bc5fd364d5cb12ddcee3f163e17688cd3e0f10

memory/3788-288-0x000000001CD70000-0x000000001CE72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d7d8d1d8-3e94-4854-9d78-56a239af94a5.vbs

MD5 23f5fafaffed32e567df9ab7ccf7dd45
SHA1 ee43145b5962b99a608e7870b42dd097585c2700
SHA256 cd493aabb624cdf30f7300827dbdc4aae152ed645d2d5ec2c4822573eb8eaf7f
SHA512 3e7f737278179aa5634158735264aa95596ee57cad78d9456dc93f49c3c1fe1e196725b8d7a5c5416ce4cd4c21633e58602b1a1e18f3bed544b0d55b1ed5180d

memory/4072-312-0x000000001C440000-0x000000001C542000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ff080e3-e934-4621-a9c7-81166907da41.vbs

MD5 e61b913c81a777107f3028ad2da9d6d7
SHA1 3eeb48bd8a898fd3dfadb2f1ab1258a7d01882f5
SHA256 6b6e636a62c1719abc0fa1eab353a17ed77e5986d9b21d96f29ccae68602c9a5
SHA512 1111b7f65f499b0a49e35a8190a673fd8fbacc598de5a976fe6502ed670bbd63a56dabd8a1850f43efc103249a43d4fb7551768fcfb5a412b6462f9bb204d169

memory/1772-336-0x000000001D730000-0x000000001D832000-memory.dmp

memory/3204-338-0x000000001BFB0000-0x000000001BFC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\22451b95-8abc-4122-ba34-96b564c4b674.vbs

MD5 2f5b2e8cccb02468170be52a7d1955c3
SHA1 d5fd9a3feabfa958b88d990ecc933188ad9c0933
SHA256 8547924c3bff8a20bf39046831206e9544bb9459fe3b6bc8e8b625ac3a75ef62
SHA512 35029a7f9cfb801d732f7435631dd1494d6fd2f557fc21b66f50a59a7b3a2306c616b9e689367d649c19b3f55a06d7c601cdbbcdc706e4c9648185ce38fba876

memory/3204-361-0x000000001D560000-0x000000001D662000-memory.dmp

memory/1488-363-0x000000001C2C0000-0x000000001C2D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9e40d090-3fe7-4f11-816b-4602721a613f.vbs

MD5 564f326805b391efde2e1cb00c9afaa6
SHA1 205b1fa070069e1f369148f907b04551f42a1c52
SHA256 f96af1efee4b262eb84210369d33d2094301f556882573390851ee6d3ebbb073
SHA512 a2bcd0f6670c2bd4c3db79d4a1791788f3063dd406ffd9a7d6bcd79250f5780254a948d243ce02a43bc17d257040736333cc1b5d96be7ec6c2de45efd22e3c1d

memory/1488-386-0x000000001C5F0000-0x000000001C6F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fd59b299-3946-416f-ab9c-408de5b05ab4.vbs

MD5 da0f9f0d49594dff294f8503c8abce62
SHA1 64a3238fa8dabea79de4af3eb9ce3f9c5d07141d
SHA256 c4fd86b1eee6a75e60a61418c175bda36f939756776841f0e38c52cb4b914c27
SHA512 e6b2d1c6005fde945e8dc55690a8de8145ab83711ccfd62bf00fc368169dea7b4ef8ae2d3c656e2f105b926c9a375b7fd08215e7508f87a9adc5bef1369204b6

memory/4388-410-0x000000001BD20000-0x000000001BE22000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 05:13

Reported

2024-10-14 05:15

Platform

win7-20241010-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\es-ES\winlogon.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files\Windows Sidebar\es-ES\winlogon.exe C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File created C:\Program Files\Windows Sidebar\es-ES\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\es-ES\RCXEA14.tmp C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\cmd.exe
PID 2188 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\cmd.exe
PID 2188 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe C:\Windows\System32\cmd.exe
PID 1096 wrote to memory of 1312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1096 wrote to memory of 1312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1096 wrote to memory of 1312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1096 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
PID 1096 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
PID 1096 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
PID 2616 wrote to memory of 2868 N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe C:\Windows\System32\WScript.exe
PID 2616 wrote to memory of 2868 N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe C:\Windows\System32\WScript.exe
PID 2616 wrote to memory of 2868 N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe C:\Windows\System32\WScript.exe
PID 2616 wrote to memory of 2912 N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe C:\Windows\System32\WScript.exe
PID 2616 wrote to memory of 2912 N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe C:\Windows\System32\WScript.exe
PID 2616 wrote to memory of 2912 N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe C:\Windows\System32\WScript.exe
PID 2868 wrote to memory of 1484 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
PID 2868 wrote to memory of 1484 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
PID 2868 wrote to memory of 1484 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
PID 1484 wrote to memory of 1868 N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe C:\Windows\System32\WScript.exe
PID 1484 wrote to memory of 1868 N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe C:\Windows\System32\WScript.exe
PID 1484 wrote to memory of 1868 N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe C:\Windows\System32\WScript.exe
PID 1484 wrote to memory of 880 N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe C:\Windows\System32\WScript.exe
PID 1484 wrote to memory of 880 N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe C:\Windows\System32\WScript.exe
PID 1484 wrote to memory of 880 N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe C:\Windows\System32\WScript.exe
PID 1868 wrote to memory of 572 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
PID 1868 wrote to memory of 572 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
PID 1868 wrote to memory of 572 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Sidebar\es-ES\winlogon.exe
PID 572 wrote to memory of 1616 N/A C:\Program Files\Windows Sidebar\es-ES\winlogon.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Sidebar\es-ES\winlogon.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe

"C:\Users\Admin\AppData\Local\Temp\76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154bN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\es-ES\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\es-ES\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzBJK7Zui3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\es-ES\winlogon.exe

"C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edf23544-76fe-404a-a45d-6e74f9e318f0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99ab548e-353c-46c2-b31f-68b0ea1f0652.vbs"

C:\Program Files\Windows Sidebar\es-ES\winlogon.exe

"C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83a64264-36ab-4ae2-b75b-dbede61776e4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bc483a5-fe9c-409c-87f9-1c8a2c11d3b7.vbs"

C:\Program Files\Windows Sidebar\es-ES\winlogon.exe

"C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06d49204-390d-47f4-90e3-8f33ef0f4965.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f1f0607-cadc-4fa7-a327-ffde549bbc47.vbs"

C:\Program Files\Windows Sidebar\es-ES\winlogon.exe

"C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd295424-8cb3-4dca-a4b4-10f8e1567953.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e5e7ffc-0216-448b-b0f7-117422c84c0f.vbs"

C:\Program Files\Windows Sidebar\es-ES\winlogon.exe

"C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e68c0ede-d22d-4a96-bbc7-b407036da2dd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f24a0374-4f6c-41ec-9fff-44f3b829a08e.vbs"

C:\Program Files\Windows Sidebar\es-ES\winlogon.exe

"C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3fac9ca-7b55-43cf-8615-de9d22cbcde7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e1810a6-2389-48a1-8419-7850e9da358b.vbs"

C:\Program Files\Windows Sidebar\es-ES\winlogon.exe

"C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e202db8b-aa5c-40c4-8f61-1b64a6daea9a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe1868b6-7699-4ae6-9e51-d17152c27d23.vbs"

C:\Program Files\Windows Sidebar\es-ES\winlogon.exe

"C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc1de1af-6fb8-40fe-aaa0-38c303133f88.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81e311d7-f519-4d53-9431-1e7bbaa482e9.vbs"

C:\Program Files\Windows Sidebar\es-ES\winlogon.exe

"C:\Program Files\Windows Sidebar\es-ES\winlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp

Files

memory/2188-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

memory/2188-1-0x0000000001350000-0x0000000001844000-memory.dmp

memory/2188-2-0x0000000001220000-0x000000000134E000-memory.dmp

memory/2188-3-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

memory/2188-4-0x0000000000300000-0x000000000031C000-memory.dmp

memory/2188-5-0x0000000000320000-0x0000000000328000-memory.dmp

memory/2188-6-0x0000000000520000-0x0000000000530000-memory.dmp

memory/2188-7-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2188-8-0x00000000006D0000-0x00000000006E0000-memory.dmp

memory/2188-9-0x00000000006E0000-0x00000000006EA000-memory.dmp

memory/2188-10-0x00000000006F0000-0x0000000000702000-memory.dmp

memory/2188-11-0x0000000000700000-0x000000000070A000-memory.dmp

memory/2188-12-0x0000000000710000-0x000000000071E000-memory.dmp

memory/2188-13-0x0000000000720000-0x000000000072E000-memory.dmp

memory/2188-14-0x0000000000730000-0x0000000000738000-memory.dmp

memory/2188-15-0x0000000000740000-0x0000000000748000-memory.dmp

memory/2188-16-0x0000000000750000-0x000000000075C000-memory.dmp

C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe

MD5 028bdc90907407e6347ed647ec3a4520
SHA1 a4666b332fa2086a2367fca57e8f8516f661703f
SHA256 76a824876f1d947fb290138a601306849881effd0871fb2d7baf5b7f7922154b
SHA512 a98b624d5a480fe88d23a0c11f52bf16c9f7631d1f0a4d8eb1255b1da325c8a78b997b75c43d79c6b16a1d9b6704315b931eba826ee0266487b099244a2a852e

memory/2188-49-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 58641b6d04a320fb797883b453e4b084
SHA1 01dad21ebd6bbff78aab76f7702f39af9fe9df3f
SHA256 566179c7ccb450dc938ba881e6c2442dd042f129fc2a99879feefdf9325115ae
SHA512 23c3e890b2f92dfabfd094b9eec2274cb8be39ec4dfbc7b9e6522c099ee83a55c7958acccb862663f5b2e867a5bfd1e5c4a3d3d37e9935ead5e785524653b292

C:\Users\Admin\AppData\Local\Temp\qzBJK7Zui3.bat

MD5 f434bc1e79870beef7cdd006e776174d
SHA1 f95981aab38e36e2786f7171e0ba460c6988d2af
SHA256 adcd32d4ed0150d665b50eeebc56eb735ae1a0722388b8da6f086c782de7eb78
SHA512 61cdae15791b5abe7d2c7070ef4c986bdfae9fb52b2b299453d0ed97cf831c84d34887a9cbce33337f7835f091abd666f0f85cc25c5990c55a51a3e474f2fe72

memory/524-52-0x000000001B260000-0x000000001B542000-memory.dmp

memory/2192-67-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

memory/2616-102-0x0000000001090000-0x0000000001584000-memory.dmp

memory/2616-103-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp15D2.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

C:\Users\Admin\AppData\Local\Temp\edf23544-76fe-404a-a45d-6e74f9e318f0.vbs

MD5 7f7e8f386e7295f6c93b4aaebaf0605b
SHA1 0ba83e4633959bb637bdb43f166c2a4f4c511ca6
SHA256 8f27dd2d14f3fc9b9a1c75c8bd9bb4cdb77bbbba45a47470c97230f7ce1b7191
SHA512 4442ca350111515fab62e5f1cda4629e78213fb18737ab8656bb78bdb7fd459ad635ac51814f583afbe05cad0f2d3213b59cdd8df572dff4fdd3a1f090332313

C:\Users\Admin\AppData\Local\Temp\99ab548e-353c-46c2-b31f-68b0ea1f0652.vbs

MD5 eedd8ba5e992c69452f2720edb2318d8
SHA1 2cda769b4a5eee515094695dd86c4400fb75bc2d
SHA256 5c780019dff25dc6012ed39842991e1bb90c8f0fd215af570794c1f96b8d891b
SHA512 8bdd28dc0b7c2c13db454b02943b8656e39c0fcdb1065e522d8b8d6abb202cd87c086b677295cf927929fe92bd5f109f90757fc224ec4a33c9972333796bd96b

memory/1484-117-0x0000000000260000-0x0000000000754000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83a64264-36ab-4ae2-b75b-dbede61776e4.vbs

MD5 184a77f7070b33fff4640a51a29e3e2c
SHA1 1553e5ab086fb803cf02494d6ca30fd407e0af21
SHA256 3e5f9c56c8de29f9088b7cecc5ec07028b496139680dfbe69f08a0a034e5078b
SHA512 99d4a2c3e5f930e83c6b9c8e028b7d056b31e46c5daf1d449ee1035e013a0d287f2d645e2a7990f22872cd84ef3fe64c1da4152d7e90457d5e48fa3e5eef0a5e

memory/572-132-0x0000000001260000-0x0000000001754000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\06d49204-390d-47f4-90e3-8f33ef0f4965.vbs

MD5 8d17c908cab1c7b491719d02f7feb0fc
SHA1 4805f1d60d5e3534a4ec3a15e7da36c6852ee593
SHA256 620a2f426c39dac14d24f1b7133ace1599b94b7e929d9b2267e7bdf6a50f3bfd
SHA512 6a2961cab6cf3f04630a0598cc6ca5b8a071b4410279dfee2b396f36908f316a738d159fdb5d75f265612e989eb79713e5b176b49b2015dbdcf8e68c974de736

C:\Users\Admin\AppData\Local\Temp\fd295424-8cb3-4dca-a4b4-10f8e1567953.vbs

MD5 02557bbc2b2d26b05bd8620ae48db042
SHA1 615d12778c874450081af4a8022fae0108685571
SHA256 3c36a70e5b5fcf9dad084e551e5c2c74b46a4559d22ec059a603fbda44e4fe70
SHA512 77ef77ec47108225b02973a2005c2388e51d5d62ec485675728865a2bf4f5f7b90b885ac16202127e577a0a2c20ee84308368aabd8d4458c959a5d323374a6b9

memory/2428-161-0x0000000000670000-0x0000000000682000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e68c0ede-d22d-4a96-bbc7-b407036da2dd.vbs

MD5 acb20f116f350c5ace5c3b2b20cc8845
SHA1 9f30f2378a01ef148da3698a7ddb989b020994fb
SHA256 240a4e1134ba37f163c7b8a5f744063b3b305699ef9a2a8ee318d4e2d2b5d6f8
SHA512 45f1bcd4b22bb151989bf94f697f240164efbe34b186ad52d95a7195b8994130762f513ef11b98dda1427799b54e5b373d4aad2d87fa656a8d932678d242e5bb

memory/2268-176-0x0000000000060000-0x0000000000554000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d3fac9ca-7b55-43cf-8615-de9d22cbcde7.vbs

MD5 83068d19a6240a845075d049fb693cd9
SHA1 d17f6bb10ebabf609757e53e7bf8a442aee529cb
SHA256 1d7c83d28b044b8a79d0307cdd10ecaa0ef8b8a7693670501680c2ff7c3f450b
SHA512 6ef0bbec4b20982b778718d5c5193f6975a4ffbb4dbf2aa485a50c3e1878f66fb8d9b9084148164eedfd0f84ba1d07ded75e6f3b9afc9bb8cf8e597617573fc4

memory/2916-191-0x0000000000DB0000-0x00000000012A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e202db8b-aa5c-40c4-8f61-1b64a6daea9a.vbs

MD5 d90de39caab0de94c64e628e15fc131d
SHA1 cf81472cde7ab6a5f1a50fa9a3277e2e0141a715
SHA256 917853c9e5e1fb6f47fb9a27cb4c4e5ddf31f271ac7ac40af17725837897671e
SHA512 562f0c43e53f21cdda602b3fc89bb567f663755e2c9c8270f57696da23baf94634d274d082414f035109f29ed9cd2b498277fa1ca85ed05b5247ede297c3a053

C:\Users\Admin\AppData\Local\Temp\cc1de1af-6fb8-40fe-aaa0-38c303133f88.vbs

MD5 65457ca16a3e3c538d2bf4bc797afb00
SHA1 9b30e7814b98055dce8d41ca837f1d8e0bd1386a
SHA256 c128f9e2829740cc4c8540d1f399f7b4a334db249e67cc3035fb2477703444d4
SHA512 e4e54c401190463b0db85f91a21ee81518b117e9303077e74874febc0baf40c956fb48b95a049c1b7a9735eab2138954a7c3f2cd028ef60d16ec5b048dc2b9c5

C:\Program Files\Windows Sidebar\es-ES\winlogon.exe

MD5 a5253cbb3e73b6a0b2c14a4973f84e2c
SHA1 63fdd07e867a4351bfa80bc9206fed940e24a683
SHA256 8e211e8e1ccded47c7d711dca911b6ef467c1825025c47a3214b9cb17593dc9a
SHA512 a51502d63a24176a206c19a249cec25a041b4f9001ea3005770129b28bcb86665588bc3140db64081a11a100a06b69f519ec2938e907cfd0b5a4ce448e33c165