Malware Analysis Report

2024-10-23 16:29

Sample ID 241014-sqgneavgrm
Target 5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN
SHA256 5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4f
Tags
dcrat evasion execution infostealer rat trojan colibri build1 discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4f

Threat Level: Known bad

The file 5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan colibri build1 discovery loader

Process spawned unexpected child process

UAC bypass

DcRat

Colibri Loader

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 15:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 15:19

Reported

2024-10-14 15:21

Platform

win7-20240903-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Documents\lsm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File created C:\Program Files\Google\Chrome\8647b3c35d49d9 C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File opened for modification C:\Program Files\Google\Chrome\RCX100D.tmp C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File opened for modification C:\Program Files\Google\Chrome\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Branding\Basebrd\services.exe C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File opened for modification C:\Windows\Branding\Basebrd\services.exe C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File created C:\Windows\Branding\Basebrd\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File created C:\Windows\Help\Help\de-DE\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File created C:\Windows\Help\Help\de-DE\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File opened for modification C:\Windows\Branding\Basebrd\RCXA00.tmp C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File opened for modification C:\Windows\Help\Help\de-DE\RCX2421.tmp C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File opened for modification C:\Windows\Help\Help\de-DE\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A
N/A N/A C:\Users\All Users\Documents\lsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Documents\lsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\cmd.exe
PID 2796 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\cmd.exe
PID 2796 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\cmd.exe
PID 1484 wrote to memory of 3020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1484 wrote to memory of 3020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1484 wrote to memory of 3020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1484 wrote to memory of 1744 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Documents\lsm.exe
PID 1484 wrote to memory of 1744 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Documents\lsm.exe
PID 1484 wrote to memory of 1744 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Documents\lsm.exe
PID 1744 wrote to memory of 2684 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 1744 wrote to memory of 2684 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 1744 wrote to memory of 2684 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 1744 wrote to memory of 2596 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 1744 wrote to memory of 2596 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 1744 wrote to memory of 2596 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 2684 wrote to memory of 2992 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\lsm.exe
PID 2684 wrote to memory of 2992 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\lsm.exe
PID 2684 wrote to memory of 2992 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\lsm.exe
PID 2992 wrote to memory of 828 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 2992 wrote to memory of 828 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 2992 wrote to memory of 828 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 2992 wrote to memory of 1812 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 2992 wrote to memory of 1812 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 2992 wrote to memory of 1812 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe
PID 828 wrote to memory of 604 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\lsm.exe
PID 828 wrote to memory of 604 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\lsm.exe
PID 828 wrote to memory of 604 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\Documents\lsm.exe
PID 604 wrote to memory of 2852 N/A C:\Users\All Users\Documents\lsm.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Documents\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Documents\lsm.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe

"C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\Basebrd\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\Basebrd\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN5" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN5" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\Help\de-DE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Help\Help\de-DE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Help\de-DE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Documents\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\lsm.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VuTDFz0U9E.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\511f5aa7-066a-4fc7-8ea9-01c8ade37f8e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26b9f62f-2f7f-46b2-9cbb-8a2dfdbbf694.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6995396e-29ea-4044-b2b9-0ffe51941207.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9aead724-39b0-4185-a6fd-149d9e6fb004.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afd2a33d-5bd6-4142-9ece-86a850b5d315.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c147d21-4fbe-44b5-a625-e83f01656691.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbba9294-9c21-4671-99bf-5bf9887cb9c7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeec09dc-860d-4cbc-b066-c7f04b1b2596.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ad6c8e0-0a6b-41bf-b784-f8e4e3a4b98f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d56d3b11-1db7-4f70-be08-178dea6240a8.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4462304-0352-4c4e-b7c3-f150564683c1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1a0c2a6-7558-468c-96d1-5fd2196698f0.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\accc5c32-99b0-41bc-95c0-b2ce6c820d25.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55f1121e-6762-45da-9486-5ab829d6c326.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e24bbded-90ad-4e2a-85d6-707f70f6f58a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd1ce172-1b77-40d3-952d-c3998d6edcf9.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\211cbc0d-ac03-46a7-a81f-f006af7024e3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06a4c834-edcb-464d-91df-16e37715e663.vbs"

C:\Users\All Users\Documents\lsm.exe

"C:\Users\All Users\Documents\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2370028c-1bf8-47bb-bc8c-0889e2c70abc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d1171f0-d7b1-4cb1-9795-cd7d39646537.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/2796-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

memory/2796-1-0x00000000009B0000-0x0000000000EA4000-memory.dmp

memory/2796-2-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

memory/2796-3-0x000000001B3D0000-0x000000001B4FE000-memory.dmp

memory/2796-4-0x0000000002540000-0x000000000255C000-memory.dmp

memory/2796-5-0x0000000000410000-0x0000000000418000-memory.dmp

memory/2796-6-0x0000000000510000-0x0000000000520000-memory.dmp

memory/2796-7-0x0000000002560000-0x0000000002576000-memory.dmp

memory/2796-8-0x0000000002580000-0x0000000002590000-memory.dmp

memory/2796-9-0x0000000002590000-0x000000000259A000-memory.dmp

memory/2796-10-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/2796-11-0x00000000025B0000-0x00000000025BA000-memory.dmp

memory/2796-12-0x0000000002750000-0x000000000275E000-memory.dmp

memory/2796-13-0x0000000002760000-0x000000000276E000-memory.dmp

memory/2796-14-0x0000000002770000-0x0000000002778000-memory.dmp

memory/2796-16-0x0000000002790000-0x000000000279C000-memory.dmp

memory/2796-15-0x0000000002780000-0x0000000002788000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe

MD5 4cb19f29a50b590b4e049659105ec340
SHA1 80bc53b20a62cf2d790376f121ec32ef2b1dc905
SHA256 5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4f
SHA512 53f74cb5cb83953316d0801c003e29c090acf4bb3d28f924ce70c188475dc052844abe7fd06825e068453496a5106f23d81e574c405b8887fa6445a71ed9ddd9

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe

MD5 ba56bf4bb082d876734a6b7ec126305b
SHA1 4968fec6b449bc6b4372013920d9354c6b1835e0
SHA256 eda3ac5697f9618da517bd850020dcc397b9694dfb09d28acbf0379df81781be
SHA512 b9ceb1a69fb8a051ec20c5c8856c62783b14ef47e1b68ce759a03583e8343772ab485c09c7feea8e58236bd81fc7dedffad76389b7c0860ae4c6aec2f6ee0fa7

memory/2796-131-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 5301f908feefeab8c290e2e8ef330004
SHA1 5d62a1092d7cd17bf330306716a659d58e64f78f
SHA256 d2459d7db5a71b0c30cc4202e0b8d5261fd86dc07b42fe5d130cdf3dbad636b9
SHA512 e2557bf18dd3ad127558338793551967bfc64c4ae623d1ddf7936188969bcdf4d230db88881734053c3807d232dfb670428c34e691d6df6979f6bdf4c7e85b8e

memory/2796-148-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

memory/1564-155-0x0000000002860000-0x0000000002868000-memory.dmp

memory/1564-154-0x000000001B4B0000-0x000000001B792000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\VuTDFz0U9E.bat

MD5 19ca0b5d5a3f8f6ab669df77bf8c8eb3
SHA1 d0778aaa1b55619cb10aa1eebbfb64bc17dc23d8
SHA256 82714fa2eee36d84883823fb70df461e59eaf640f544e7abeac7f6d9558ebe12
SHA512 82dbf26a336c3db53a2b23720ce8df2fccf8e790fb53f93420699b6c811f988343f7331e420055f0b96b39afe7c88b9ec7d45b5abfbf2b714012a923afaae7c1

C:\Users\Public\Documents\lsm.exe

MD5 87c1fb1cd37f034871ee2c0d0a120f4d
SHA1 c23c6acf99bbb712cf5e83c98f16f5b8cc79a1e7
SHA256 abf7722edd515b7fe74fa51000b80202e21c2cd4b2550c002695935313be95f4
SHA512 91de27bcb25ea5cd4d64c40efded2a24ab39081f8be11a4c96c3d8445f38942450c148a3eea5dc7059be8251e0102c4d92c5ca189419d16ae73688528135cca2

memory/1744-210-0x0000000000E10000-0x0000000001304000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\511f5aa7-066a-4fc7-8ea9-01c8ade37f8e.vbs

MD5 5e32bf2d729c050552ca5a76ab7f30c6
SHA1 924b0cd8ee3de4af4a7173f9043a3cde1e7158b1
SHA256 095ce42e0701df711b229a43a544329d39e0761f97eefcbc421b73561c549aa8
SHA512 6ec88a168292bd80ecd866b5df08a9489cd3ba69bf809dfd4e792698a03a4411f22750ce3c0f8cf4c512954e69f1eb49d41ea1bfb51e7acaeb7f232b0c7a3be5

C:\Users\Admin\AppData\Local\Temp\26b9f62f-2f7f-46b2-9cbb-8a2dfdbbf694.vbs

MD5 6176cf0f2f0544bc9f211d488137e6c3
SHA1 3d2477f05d807f40392171a2e695f013af2babf5
SHA256 66f118877d67b694d6f2dd6c34fe4614b1720c5eb015a09bfa80cec6747ab19b
SHA512 4512c6216c82a2ca3809a2e71fb3887ed06553a31ebfb847b889fbe6a826ecb571920fb0e1d37b5f4b320a1721e99c3cb0b24321185e3e670d27163b04869cba

C:\Users\Admin\AppData\Local\Temp\tmp4EDB.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/2992-224-0x0000000000010000-0x0000000000504000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6995396e-29ea-4044-b2b9-0ffe51941207.vbs

MD5 b8d74e04404c22e2276c443e6a194783
SHA1 37d3687c92cab92193aeb5da5fbbc849ac20b389
SHA256 d07b4d0027d6135b1742fa41417809cb08eb46fcec555af314e6f77c9321c90f
SHA512 272b7af45a665ef9736dd92c350534687207d1978ed33c08b1673caf370294d1d9fd9ed5425dfb4ed7c6a7ba9e0b483cab748a6a585a563857f79dfd916b1a52

memory/604-239-0x0000000000B40000-0x0000000001034000-memory.dmp

memory/604-240-0x0000000000610000-0x0000000000622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\afd2a33d-5bd6-4142-9ece-86a850b5d315.vbs

MD5 bb1b39353b41b6e1bceae00a9beda67a
SHA1 20b6d073ee1da617a6024b4603e09ee12728dd4e
SHA256 5d1603fe1f2bcabcf077295dbd714ec2a85f7102251247d1a22c331c4909ef91
SHA512 4126f6532bf254a10aec28ad5a241b5a742e7c87079fc850fd2b2b6cec9bfcc977aa83d9abcf82f9cc36c4824d57369670deecbc1969867b1473a6c0a5dbfdb4

memory/2388-255-0x0000000000EA0000-0x0000000001394000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fbba9294-9c21-4671-99bf-5bf9887cb9c7.vbs

MD5 6ed901de91bc7f8eac8ae26ff4c39c99
SHA1 15ff64d1e2c64d1c3a8095d2e848ed357f62da25
SHA256 3149b485676cb80addc641314fce29cb85e9a170c0a834b20967cd1f4190eae7
SHA512 6e8fa1a01045bf0058bb45972726a7f1e71673594318c8f60a629a7493be284324499515b437a877d40fbfb97eacf75f35c50d2f455d244a5af41b93ae51c69a

memory/2016-270-0x00000000003D0000-0x00000000008C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ad6c8e0-0a6b-41bf-b784-f8e4e3a4b98f.vbs

MD5 1d27ea91a7c396113fe89720376c296d
SHA1 5df5958adfd6bbf4734c2a23b9b99133e23b814c
SHA256 6d2c2ec44755b214c3212537701f487639d96ead140292fdc81f73993034ec1c
SHA512 ce2721970c82ac71cefc94405c532e6a19707ab5ab43df3c8d79c8a8d5b297900a7cee5785148e2968152458d9a829d3996bf3e38fd49025b9a5ca7b2d8c8e8f

memory/2052-285-0x0000000000100000-0x00000000005F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e4462304-0352-4c4e-b7c3-f150564683c1.vbs

MD5 ff31844cdce7a6947f10eec5ec3152d0
SHA1 f4cefe7fb23476cd397294f881033874c0746ee2
SHA256 d2fbcb805bf9c15e58298bb085c0ba97557fe8553060fc039686686b717b7ae5
SHA512 349f8c0b82c9466a23b024fa4626648e2579e1ed03a20b55788a14bea03553928cf543a0a7d8d81b7ef6129f6825798a2b7775d494588c3af271eac391a5682f

memory/1628-300-0x0000000000FC0000-0x00000000014B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\accc5c32-99b0-41bc-95c0-b2ce6c820d25.vbs

MD5 1b001a2f6a53ae49c69dce7e1736dbdb
SHA1 ba57c83af8d1f4bde044addb34494473686fea2c
SHA256 8a9d8539955a1e180fbd95fd1ff94f136bb8559741ebcba5228af466a9ca66c5
SHA512 df85ca3ffa9e61582651fdbe5058d7b55f97ba82a4dcea7279e48fde0f7a5712fe18d2dd90a67fa2987919b93e31668f2a9178250c41c40bba52c590e4fef9dc

C:\Users\Admin\AppData\Local\Temp\e24bbded-90ad-4e2a-85d6-707f70f6f58a.vbs

MD5 083a110dac5ad33e502022e70776a08b
SHA1 361e8af76c9ce6c29e8b27986123f64ca04a9426
SHA256 e772788f820efd9311efff43e506b547acb7de3f821d3fff56de6000fe0df7f5
SHA512 a3953a4f477d03096191d51344ac4d7b093f16220659144290c986ace8df2ac74a1cb65ca3c7541c17da59ce4fd05900550e5c6477e94470dc346fad8e5f98c8

memory/2968-329-0x00000000004B0000-0x00000000004C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\211cbc0d-ac03-46a7-a81f-f006af7024e3.vbs

MD5 756a609b60e8242b7e679bee8bda31cc
SHA1 e7681b1cbcd5c9c976f355f968d96d0c10139952
SHA256 9f81c3a05544d1d9debc05340910477eae11a7a70096832f7fdc740de0cc0d30
SHA512 e818b5ce60cc9b42fd549c90200bebfb1f379ff2afa2a56ac960131b2a8d445db892de1484fb1e4f40efcf01d5cce6d2801e17eca86c02165754ab1b78e4d37b

memory/3004-344-0x00000000002C0000-0x00000000007B4000-memory.dmp

memory/3004-345-0x0000000002590000-0x00000000025A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2370028c-1bf8-47bb-bc8c-0889e2c70abc.vbs

MD5 9ed04a28656e76bf0e0f727d6ac8e235
SHA1 190cd171928f79c2a82c56be71740eb756a80293
SHA256 39dff1e83c6ae7968b164fd8ca4b97ad70955241b58cdb0ebe7a4d3092404189
SHA512 29c9090dfd2bb3bfbf66a42f8897ff130dfd4eedd389cf49e0544e7446c9a97e9c06ff50ade39084de9dc1821b7542dbdda30ae77a71f421dc684fe23101b5b0

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-14 15:19

Reported

2024-10-14 15:21

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe"

Signatures

Colibri Loader

loader colibri

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\upfc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF6C4.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF6C4.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp30FE.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp30FE.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp30FE.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6201.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6201.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB179.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB179.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB179.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE143.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE143.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1321.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1321.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2F05.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2F05.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2F05.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6596.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6596.tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\upfc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2176 set thread context of 2956 N/A C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe
PID 2304 set thread context of 1480 N/A C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe
PID 2212 set thread context of 4044 N/A C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe
PID 4680 set thread context of 4436 N/A C:\Users\Admin\AppData\Local\Temp\tmpF6C4.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpF6C4.tmp.exe
PID 1932 set thread context of 3256 N/A C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe
PID 2416 set thread context of 228 N/A C:\Users\Admin\AppData\Local\Temp\tmp30FE.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp30FE.tmp.exe
PID 2848 set thread context of 3436 N/A C:\Users\Admin\AppData\Local\Temp\tmp6201.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp6201.tmp.exe
PID 3296 set thread context of 2396 N/A C:\Users\Admin\AppData\Local\Temp\tmpB179.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB179.tmp.exe
PID 5032 set thread context of 512 N/A C:\Users\Admin\AppData\Local\Temp\tmpE143.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpE143.tmp.exe
PID 1820 set thread context of 400 N/A C:\Users\Admin\AppData\Local\Temp\tmp1321.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp1321.tmp.exe
PID 3712 set thread context of 3068 N/A C:\Users\Admin\AppData\Local\Temp\tmp2F05.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2F05.tmp.exe
PID 1388 set thread context of 3424 N/A C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe
PID 3016 set thread context of 2492 N/A C:\Users\Admin\AppData\Local\Temp\tmp6596.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp6596.tmp.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\InputMethod\SHARED\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File created C:\Windows\L2Schemas\upfc.exe C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File opened for modification C:\Windows\L2Schemas\RCXA2DB.tmp C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File opened for modification C:\Windows\Speech\Engines\TTS\RCXA4F0.tmp C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File created C:\Windows\InputMethod\SHARED\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File created C:\Windows\L2Schemas\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File created C:\Windows\Speech\Engines\TTS\dllhost.exe C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File created C:\Windows\Speech\Engines\TTS\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File opened for modification C:\Windows\InputMethod\SHARED\RCXA0D6.tmp C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File opened for modification C:\Windows\InputMethod\SHARED\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File opened for modification C:\Windows\L2Schemas\upfc.exe C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
File opened for modification C:\Windows\Speech\Engines\TTS\dllhost.exe C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpF6C4.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp30FE.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpE143.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp6596.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp30FE.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB179.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp1321.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp2F05.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp6201.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB179.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp2F05.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\L2Schemas\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\L2Schemas\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\L2Schemas\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\L2Schemas\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\L2Schemas\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\L2Schemas\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\L2Schemas\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\L2Schemas\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\L2Schemas\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\L2Schemas\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\L2Schemas\upfc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\L2Schemas\upfc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\L2Schemas\upfc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A
N/A N/A C:\Windows\L2Schemas\upfc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\upfc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe
PID 2800 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe
PID 2800 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe
PID 2176 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe
PID 2176 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe
PID 2176 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe
PID 2176 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe
PID 2176 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe
PID 2176 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe
PID 2176 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe
PID 2800 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\L2Schemas\upfc.exe
PID 2800 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe C:\Windows\L2Schemas\upfc.exe
PID 2848 wrote to memory of 616 N/A C:\Windows\L2Schemas\upfc.exe C:\Windows\System32\WScript.exe
PID 2848 wrote to memory of 616 N/A C:\Windows\L2Schemas\upfc.exe C:\Windows\System32\WScript.exe
PID 2848 wrote to memory of 3912 N/A C:\Windows\L2Schemas\upfc.exe C:\Windows\System32\WScript.exe
PID 2848 wrote to memory of 3912 N/A C:\Windows\L2Schemas\upfc.exe C:\Windows\System32\WScript.exe
PID 2848 wrote to memory of 2304 N/A C:\Windows\L2Schemas\upfc.exe C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe
PID 2848 wrote to memory of 2304 N/A C:\Windows\L2Schemas\upfc.exe C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe
PID 2848 wrote to memory of 2304 N/A C:\Windows\L2Schemas\upfc.exe C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe
PID 2304 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe
PID 2304 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe
PID 2304 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe
PID 2304 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe
PID 2304 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe
PID 2304 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe
PID 2304 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe
PID 616 wrote to memory of 4160 N/A C:\Windows\System32\WScript.exe C:\Windows\L2Schemas\upfc.exe
PID 616 wrote to memory of 4160 N/A C:\Windows\System32\WScript.exe C:\Windows\L2Schemas\upfc.exe
PID 4160 wrote to memory of 912 N/A C:\Windows\L2Schemas\upfc.exe C:\Windows\System32\WScript.exe
PID 4160 wrote to memory of 912 N/A C:\Windows\L2Schemas\upfc.exe C:\Windows\System32\WScript.exe
PID 4160 wrote to memory of 1192 N/A C:\Windows\L2Schemas\upfc.exe C:\Windows\System32\WScript.exe
PID 4160 wrote to memory of 1192 N/A C:\Windows\L2Schemas\upfc.exe C:\Windows\System32\WScript.exe
PID 4160 wrote to memory of 4796 N/A C:\Windows\L2Schemas\upfc.exe C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe
PID 4160 wrote to memory of 4796 N/A C:\Windows\L2Schemas\upfc.exe C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe
PID 4160 wrote to memory of 4796 N/A C:\Windows\L2Schemas\upfc.exe C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe
PID 4796 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe
PID 4796 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe
PID 4796 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe
PID 2212 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe
PID 2212 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe
PID 2212 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe
PID 2212 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\upfc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe

"C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\NetHood\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\NetHood\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\SHARED\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\InputMethod\SHARED\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\L2Schemas\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\Engines\TTS\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\TTS\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\Engines\TTS\dllhost.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\L2Schemas\upfc.exe

"C:\Windows\L2Schemas\upfc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c98ac34-dba6-4a8c-9526-91b368971417.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e553c5b-2a9e-4764-90fb-86c2a15bb605.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp.exe"

C:\Windows\L2Schemas\upfc.exe

C:\Windows\L2Schemas\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eefb12f7-e527-4073-a7f5-c8da8663effe.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad364295-0f85-43db-bf27-dce128e74242.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe"

C:\Windows\L2Schemas\upfc.exe

C:\Windows\L2Schemas\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\667dd22b-d114-492e-b770-f5ae36df307a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26b60561-1e3c-487e-a337-f56d82f816a5.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpF6C4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF6C4.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpF6C4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF6C4.tmp.exe"

C:\Windows\L2Schemas\upfc.exe

C:\Windows\L2Schemas\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df49bdc9-7183-495f-b1b0-12285e8569d9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70044b35-fc1c-45f4-b457-0bc2b87102d1.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe"

C:\Windows\L2Schemas\upfc.exe

C:\Windows\L2Schemas\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea95635b-695a-42f2-acb5-3ccf0d965c7c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fe402e8-ad99-4b55-b358-16ac56fec8de.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp30FE.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp30FE.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp30FE.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp30FE.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp30FE.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp30FE.tmp.exe"

C:\Windows\L2Schemas\upfc.exe

C:\Windows\L2Schemas\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36cc1511-511e-49a8-953d-53a5d3bee841.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2aaa2fa1-7215-41bd-8c85-0a863464c09d.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp6201.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6201.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp6201.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6201.tmp.exe"

C:\Windows\L2Schemas\upfc.exe

C:\Windows\L2Schemas\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcdacae5-f179-443f-adfa-52226ce3a9eb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23c87aeb-1c1c-4452-b9fd-dd2bc79fa582.vbs"

C:\Windows\L2Schemas\upfc.exe

C:\Windows\L2Schemas\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e19afbef-36f3-4c91-aabc-fa51d1e3a161.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\246be212-9cdc-4ed6-aeee-10405a4735b3.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpB179.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB179.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpB179.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB179.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpB179.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB179.tmp.exe"

C:\Windows\L2Schemas\upfc.exe

C:\Windows\L2Schemas\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed84798a-f401-4ab6-8fa5-b902571999fc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80b53a22-1fd6-4d95-836b-38639dae72ca.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpE143.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE143.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpE143.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE143.tmp.exe"

C:\Windows\L2Schemas\upfc.exe

C:\Windows\L2Schemas\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd757962-0026-4b49-bab3-8e88817a250d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5785245e-b223-46b8-82ae-5b915d4e22bf.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp1321.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1321.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp1321.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1321.tmp.exe"

C:\Windows\L2Schemas\upfc.exe

C:\Windows\L2Schemas\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8168b1d4-4e46-4e5c-9580-a81af901732a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf2b8a8e-0aed-4de1-94dd-08877765a7fe.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp2F05.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2F05.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp2F05.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2F05.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp2F05.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2F05.tmp.exe"

C:\Windows\L2Schemas\upfc.exe

C:\Windows\L2Schemas\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58e19ce9-31d8-4cf4-b316-67e045c79db1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c0bc66c-56d2-4a26-a396-8dae4e143813.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe"

C:\Windows\L2Schemas\upfc.exe

C:\Windows\L2Schemas\upfc.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19aa1be2-2618-4a80-be9c-eb929f7425c4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52c6847b-18a1-4b08-bb31-2696d9fa052a.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp6596.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6596.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp6596.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6596.tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.29.10:443 g.bing.com tcp
US 8.8.8.8:53 10.29.171.150.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 8.2.21.104.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp

Files

memory/2800-0-0x00007FF9DEF23000-0x00007FF9DEF25000-memory.dmp

memory/2800-1-0x0000000000750000-0x0000000000C44000-memory.dmp

memory/2800-2-0x000000001BB30000-0x000000001BC5E000-memory.dmp

memory/2800-3-0x00007FF9DEF20000-0x00007FF9DF9E1000-memory.dmp

memory/2800-4-0x0000000002E90000-0x0000000002EAC000-memory.dmp

memory/2800-5-0x000000001BA30000-0x000000001BA80000-memory.dmp

memory/2800-7-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

memory/2800-6-0x0000000002EB0000-0x0000000002EB8000-memory.dmp

memory/2800-8-0x000000001B9B0000-0x000000001B9C6000-memory.dmp

memory/2800-9-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

memory/2800-10-0x000000001B9E0000-0x000000001B9EA000-memory.dmp

memory/2800-11-0x000000001B9F0000-0x000000001BA02000-memory.dmp

memory/2800-12-0x000000001C790000-0x000000001CCB8000-memory.dmp

memory/2800-13-0x000000001BA00000-0x000000001BA0A000-memory.dmp

memory/2800-15-0x000000001BA80000-0x000000001BA8E000-memory.dmp

memory/2800-14-0x000000001BA10000-0x000000001BA1E000-memory.dmp

memory/2800-17-0x000000001BAA0000-0x000000001BAA8000-memory.dmp

memory/2800-16-0x000000001BA90000-0x000000001BA98000-memory.dmp

memory/2800-18-0x000000001BAB0000-0x000000001BABC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\System.exe

MD5 4cb19f29a50b590b4e049659105ec340
SHA1 80bc53b20a62cf2d790376f121ec32ef2b1dc905
SHA256 5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4f
SHA512 53f74cb5cb83953316d0801c003e29c090acf4bb3d28f924ce70c188475dc052844abe7fd06825e068453496a5106f23d81e574c405b8887fa6445a71ed9ddd9

C:\Users\Admin\AppData\Local\Temp\tmpA25D.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/2956-60-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3j41wana.wpq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3404-123-0x00000256E7C50000-0x00000256E7C72000-memory.dmp

memory/2800-229-0x00007FF9DEF20000-0x00007FF9DF9E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Temp\7c98ac34-dba6-4a8c-9526-91b368971417.vbs

MD5 afbb2dd42ee787905e50604b804dc1e4
SHA1 4b88f8cbd657bb5bc45773a928bd0360ad276b0b
SHA256 ce06923254789db419010e8f08579587456d40f317ce3622ecb16ab6c01cb6d1
SHA512 0ac61fe87d35695836676e5c3cd1679b11d30600882b4fe7faa1b4dfe5a153778557071d754deb8d6e50e12f723ef1a0bcb93d1c6e4faffab345f51789e05c59

C:\Users\Admin\AppData\Local\Temp\8e553c5b-2a9e-4764-90fb-86c2a15bb605.vbs

MD5 47e2b8674fb869cce3cd862b9d41643e
SHA1 1e3849dea7dd7ecba74271e4d7c6aae18ba0e33f
SHA256 62e81c2f47465780e9901fa956a3fd8edae5b4885972be2e1d59f6978a6e15c7
SHA512 6a14bdab438927a8ee0b4f1cbb6afa6e706e757c460683008882016397307753caec9d76c9edfbb05df092ce4ee0bf972135e7cb4baf5240aa16d9bad4b7010a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\eefb12f7-e527-4073-a7f5-c8da8663effe.vbs

MD5 dccf968376ac4a7bb75fecf7414b9569
SHA1 794a89ce9e4721f15a326c63764a04de3377d199
SHA256 d958a76dfc0b17a2002e2d97e7877e06f5e8e65038a26ae29064a5900d80756e
SHA512 34ae2fbdd965b94d4f4a208c1fae3a85eed5e6aff2931d7961693beebdcdc626cb8164777f3784d6757b524338380c74e66a2c7086c2214a6fee515c3924490d

C:\Users\Admin\AppData\Local\Temp\667dd22b-d114-492e-b770-f5ae36df307a.vbs

MD5 dca55ac8dd6fce8d2d184b601eda3746
SHA1 c12cf5ed5d12e8b7ea80bad104fa8d19523e303c
SHA256 5dc2e94307312825af7d87f27571f58c1922012282ee22928750079e34d78534
SHA512 e823506616bb911ae0ca7b5a81f61d5413ed49c7e40ea255406b71207ccb991adae9228fe07c53d63a85a983d607e58448dae90933d575def40e5a59f36a01e2

C:\Users\Admin\AppData\Local\Temp\df49bdc9-7183-495f-b1b0-12285e8569d9.vbs

MD5 e55ba49a38a148f65c18cb42d0441b05
SHA1 11a0fd028a289312537f06c6cd91b89ceb09850b
SHA256 1103469458148ec33c389ec70041208f1efa7e73178030e2c9a06260c45f06a1
SHA512 a6752273f3aeb1bc6c66ab27ac97c2586b40f220bce64dd0836bec5654d37f7cefe7896dfb6542913b457d45c5319d65ee7b8bb430e613b3bd7752080dc3edc0

memory/2396-349-0x000000001BE90000-0x000000001BEA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ea95635b-695a-42f2-acb5-3ccf0d965c7c.vbs

MD5 b610b6015cff4bacc645398c3bbf9f8f
SHA1 fc28e36da717cde2c665188ff4b4f2d2a123b0b8
SHA256 6fd2ca69613a29b5e818a146b48d7e6beeae918b30cf6efc6117763797e51b7e
SHA512 7e938d0d28246cb4f5fb3885fd2ebfc6cf758059df3ae3164abe61210c1356cf8e07197b37865e89bbdc3bda749cf9689b327a461f09a93c1f8c6b16836351dc

C:\Users\Admin\AppData\Local\Temp\36cc1511-511e-49a8-953d-53a5d3bee841.vbs

MD5 1b75058529216632ee8bc97b9a802cfb
SHA1 6226f74773146b650a8ca3fa114827857f2cc6f6
SHA256 c0ebc1f53dfa4cce82b1d8a0706e6e91479f5df7ae223148d7cf4ea44c62000a
SHA512 5819fa610353b804917f634be0f17e96f1865f48fa0b9d87112b8950233604b80a6185bd523c4e6b8fc401addd51fd9c901b1be413370b4ff6cf88aa56757695

C:\Users\Admin\AppData\Local\Temp\fcdacae5-f179-443f-adfa-52226ce3a9eb.vbs

MD5 1e007c3a4721b113a57994c1c85c9433
SHA1 b38dfdca47ac27c9871670b5de021f8e459ce05e
SHA256 71009961e5349fbbb562daafb002c716c8d10c5aa2eada53ef644747b02f8d3f
SHA512 c6204c91fe612a2c617771612c39e08ed6f20fdc3575fccc75b4f145526f8cc1d1008ff3728d8c1f62a2bcbe67b82438ef460673f44c8cd85650d0d113ad9251