Malware Analysis Report

2024-10-23 16:29

Sample ID 241015-z966qssbrl
Target 4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c
SHA256 4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c
Tags
dcrat evasion execution infostealer rat trojan colibri build1 discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c

Threat Level: Known bad

The file 4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan colibri build1 discovery loader

DcRat

UAC bypass

Colibri Loader

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

System policy modification

Modifies registry class

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 21:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 21:26

Reported

2024-10-15 21:28

Platform

win7-20240708-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\7-Zip\Lang\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\Resources\Themes\Aero\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\RCXB639.tmp C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Program Files\Windows Portable Devices\csrss.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\csrss.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Program Files\7-Zip\Lang\csrss.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\csrss.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\services.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Program Files\Windows Portable Devices\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\services.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Program Files\7-Zip\Lang\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\Themes\Aero\csrss.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\smss.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Windows\Resources\Themes\Aero\csrss.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Windows\Resources\Themes\Aero\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Windows\Resources\Themes\Aero\RCXBCB2.tmp C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\cmd.exe
PID 1680 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\cmd.exe
PID 1680 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\cmd.exe
PID 1704 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1704 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1704 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1704 wrote to memory of 3000 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
PID 1704 wrote to memory of 3000 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
PID 1704 wrote to memory of 3000 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
PID 3000 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe

"C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jDRdKfCJCw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe

"C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UluF99a5gx.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d6d94cf-8e2b-410d-9c1a-08d6d8fb1a7b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87dd81f3-b1eb-4b2f-bf15-c5d2bfacade3.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df368d10-6174-42ec-9784-c38094554933.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a509922-e19c-4200-9adf-6b851600d279.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\291ae2e4-2025-4f51-a15b-ce5151e70a2f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ce22090-6e4f-4a1e-8a5a-4f53876364aa.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\606a2ffa-f102-4c72-ab2c-da0ab3e7b0cb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c097d17-e02d-4133-93a0-06c37a149b64.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18d39be1-0a05-470d-8913-a39f0446a5cf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcbc7fda-bfda-4d8a-a900-8301ae7cf678.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2aa4157-c17c-4607-9db9-572710d87bf7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d435a25-fe90-4761-8ab2-7c272afb545e.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf3c1d73-010e-401f-b82b-2709c6125568.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe1d052c-ab59-4301-aa43-9f07ec3ba915.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aefc0204-37dd-49d3-98c0-e2e5028db4f3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\367979f6-7240-4753-a1ce-0d192ab65ce8.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f8c2996-c6bd-4e2a-a2f1-e8e294f67335.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47646849-9ea1-466f-9cd1-196bd43197ec.vbs"

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c3c6656-a377-4ab8-94fc-2bb2c9b688cd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4f0782f-785c-4e42-9cf6-a0fb27452188.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp

Files

memory/1680-0-0x000007FEF5083000-0x000007FEF5084000-memory.dmp

memory/1680-1-0x0000000000D00000-0x00000000011F4000-memory.dmp

memory/1680-2-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

memory/1680-3-0x000000001B3F0000-0x000000001B51E000-memory.dmp

memory/1680-4-0x0000000000590000-0x00000000005AC000-memory.dmp

memory/1680-5-0x00000000005B0000-0x00000000005B8000-memory.dmp

memory/1680-6-0x00000000005C0000-0x00000000005D0000-memory.dmp

memory/1680-7-0x0000000000780000-0x0000000000796000-memory.dmp

memory/1680-8-0x00000000005D0000-0x00000000005E0000-memory.dmp

memory/1680-9-0x00000000007A0000-0x00000000007AA000-memory.dmp

memory/1680-10-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1680-11-0x0000000000B50000-0x0000000000B5A000-memory.dmp

memory/1680-12-0x0000000000B60000-0x0000000000B6E000-memory.dmp

memory/1680-13-0x0000000000B70000-0x0000000000B7E000-memory.dmp

memory/1680-14-0x0000000002600000-0x0000000002608000-memory.dmp

memory/1680-15-0x0000000002610000-0x0000000002618000-memory.dmp

memory/1680-16-0x0000000002620000-0x000000000262C000-memory.dmp

C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe

MD5 f11cb56089d86b89e8a22e2be3399c89
SHA1 f1143767c26d899493b0952228cb15e29b61930b
SHA256 4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c
SHA512 cf9a11bdc1d3955296be88a0b754f4e0e7f80e6af8afebab81db27e73618df4659dd78520288fab563dc5db4011b363278b9116cc0d496ea5b82bf489d56a11a

C:\Program Files\7-Zip\Lang\RCXB639.tmp

MD5 e2d004e3b1cc8245218f6c42a3732e71
SHA1 aa4458f7b5bf3708bf37385a8ba2d0300357d48f
SHA256 4f28d62117922a5a52bfe4420fec268d11bd52ca31f5ac91374ca0a4da4324be
SHA512 9d2650fe85afec5279195689d347bee18c0fad6aa90b7ad0369fdb1d5fca924ac5047dd06cb4a4451a52e8ccfcd2811b188e097af1730dcec27e99cba7fb0138

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 dbcb1d09f66ddd5f007292014dde0a1d
SHA1 72e1dc7801b7cc7c13e7106d61a39b8e6486e26c
SHA256 7a4df70dbdb18b5d90c1d1fd2f9ff6f6d206a4b6e92922c5deb5feb5e54ccf3a
SHA512 4516b8a47d5eca70f153d3d7b7a0eae19865ee1f575bd618fcd6b575f5f141dbb2d8f43446d408660f031f1b082365294c47a16e3af5f74fc80ff2103786e83a

memory/2648-100-0x000000001B710000-0x000000001B9F2000-memory.dmp

memory/2648-101-0x0000000002280000-0x0000000002288000-memory.dmp

memory/1680-118-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jDRdKfCJCw.bat

MD5 b959c5cba6edf78d4a5694e5b2b40447
SHA1 e7b58a436357026eb2e5858ac15d91a0009825fb
SHA256 9b032ccc938b02dde23e6b2c856ea658a86912138b3ebfaa8cfe9ca3dafdb6be
SHA512 1f9a6086e63d10dccc2e98fffb224b87fe58859186f1bd6a9d9c15f3b6fa27698094c5332af56c651d5cbe9a4f6d8b2415ce84904e2dcda8429710a138d363f1

memory/3000-147-0x0000000000FE0000-0x00000000014D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE521.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

C:\Users\Admin\AppData\Local\Temp\UluF99a5gx.bat

MD5 94926e957f4404ae220d6534863a523a
SHA1 3261e1669cd69b9ee03a30c5e4fce3b9440ede02
SHA256 f4edbb0dcc96ab301300510722c00ff3ad6e9ef1c77987edde6ea7e7f8c9593b
SHA512 cbacaa9c286306e072cb0bf5759c1bbe21a623b21e1702408ebb04c190d79fcb7584bfe519000f21a2d4e2b7d76169b745f30fea8cef98a3c9eb915be2b5cbf8

memory/1576-221-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

memory/1576-220-0x000000001B500000-0x000000001B7E2000-memory.dmp

memory/684-266-0x0000000000E10000-0x0000000001304000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d6d94cf-8e2b-410d-9c1a-08d6d8fb1a7b.vbs

MD5 716771f59fa54791516946d3855568b0
SHA1 8dfeee84b4729364311b86f8633e2d63c6e36f7b
SHA256 1758fddd802f7f17b003313df99b5f95c98678870d14a1bb1af5e5ee2239b78c
SHA512 67026e9d33a9ad6f7225299cdf3a5b0fe77001c2bb06277b2b9012b90dd01da1557ec0a59c8d143cc6e2fbcb85452d11b60ef169cb5853a83365efc291a79096

C:\Users\Admin\AppData\Local\Temp\87dd81f3-b1eb-4b2f-bf15-c5d2bfacade3.vbs

MD5 a40056fa13e7b28e0051f6d82f455863
SHA1 b1e200ece914175b94c330ea86444dd5d2c91b39
SHA256 198b6af58bc47d5c2b69125282c1e1ea781d88e1fff18df56442552cfebf2f20
SHA512 2763293668354efa654cb6e693ceff9aa6114283157740a141d8a0073e345b88e8017c6d6a3629edda98d423da8ddec663f16c9e947658a7e208888c0530a4eb

memory/2848-280-0x0000000000140000-0x0000000000634000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\df368d10-6174-42ec-9784-c38094554933.vbs

MD5 98950ae04d8ffd0b410e6703ad456a9e
SHA1 7f11decc475ff9f8119f4aacbeb79bb3820084c1
SHA256 8695102dae3fe729631fa423670bec4c01b0130a8b70d92927c9066792a5f442
SHA512 bbfce9911f6b219befaf91f2dbd6012f002ab2378d47d4ed3d7b73480109775990d2c526dbcef62dcb6f8e90af35d95b664b5ff376a83c2a712a8c57278813e1

memory/2416-295-0x0000000000F10000-0x0000000001404000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\291ae2e4-2025-4f51-a15b-ce5151e70a2f.vbs

MD5 d6c10f068de83bd605d83e6ac224c0c2
SHA1 a4db3817b8bbaea2fbe5e4fd01c109a9241458dc
SHA256 a08f0c4a49c7764f7d06264425b26cf8d9277d2e193cff7c60a9fb9aeff96f16
SHA512 6c9c8351013687e732e3e0cc5b80160b44c1e5602bc13e45259d7c08c7a3ef97b02584501ec433b34cbefb7e9335c56350776be93cb045bde12694fae5ecf555

memory/2732-311-0x00000000003F0000-0x00000000008E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\64d4e8ccf489ae3286332e24d7cacae58b7aad22.exe

MD5 07823c2cc738ecceee04f84aa32c7058
SHA1 86d41d2b4e951ba926ef6c6a6a5a020b3a3f3ff5
SHA256 83c775103b8f850943d8c5957c62450680966ddb7719cda1b70ad9333437f459
SHA512 f017248f38853d027bf6f1b3b8e50370bf670d2c775f30067fac5294bd5dbbc20622e8517c42f6d011a0e2358d167a9d633f983328378db4a7882ffb6e322e4e

C:\Users\Admin\AppData\Local\Temp\18d39be1-0a05-470d-8913-a39f0446a5cf.vbs

MD5 638bdbf2369b1de415ad744186637d7c
SHA1 5ac52459f4e01f9ca79b59a66eee8706c81bb2cb
SHA256 b93a6db4b62284526526b5d14e3649b99f22c24d2476bba67df0e9a34241c375
SHA512 a260929e21365a718fc7d8fae9de3a86d5322031887687b15430cb959ddab417898831741886dbb73ec70133ff54a272aea17c0cd4b58b9ebe4bf4297f2ca6ac

memory/544-326-0x00000000009D0000-0x0000000000EC4000-memory.dmp

memory/544-327-0x0000000000680000-0x0000000000692000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a2aa4157-c17c-4607-9db9-572710d87bf7.vbs

MD5 1159dec96ae8fbdd22b5d11ec2e6d41b
SHA1 1eb7282fa01a3f16b68e2243ffc29e5c8523952a
SHA256 26c0ffa67a0c59283de6a333c126214c6a7af8763f081928ea3033c1ad2f6745
SHA512 bfe7efabd1c6c3afb0bc1c851aacee6ab71bd38ebe6f46d0af9e43a86f835d744190e2460144f835977addbebbbf59688e4bde99426e48ee6ee293b6dd14a0df

memory/1552-342-0x0000000000DE0000-0x00000000012D4000-memory.dmp

memory/1552-343-0x0000000000510000-0x0000000000522000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bf3c1d73-010e-401f-b82b-2709c6125568.vbs

MD5 342d62d04a0f0532b28af4f088e31240
SHA1 139b39d4ae6ee43c8f77335d3fea5a28c17e5374
SHA256 5ac250fdcb53867fb13dbc50001e9372096d13990a6275ef778b3cbbc9a0e486
SHA512 3185e4921a069907e537f1d8cc418132e6ecfaa31e70cde9b73be47f8e346ac24ab28c2d4df04888858b941f7991e48bbccd27b1600726d0413655b4c4d59e66

C:\Users\Admin\AppData\Local\Temp\aefc0204-37dd-49d3-98c0-e2e5028db4f3.vbs

MD5 8a06c4d29d5ac8d5228b0523c9fb49d8
SHA1 1fbe67da53667a5321a07987ab80768acd7a6904
SHA256 a6929ea9063b1145528a05b7a93b0f1fc665e355a079d51d99d43cbfccfa97d9
SHA512 9033e77672e2c66aecd94b9ca3ab4f7aae4fcd6a681d7c3b79b76d2cf7c99550d79df12277520f047a0faddee77deb6da1e5597b2e20c1cf866808316ae8ba02

memory/1708-372-0x00000000010F0000-0x00000000015E4000-memory.dmp

memory/1708-373-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2f8c2996-c6bd-4e2a-a2f1-e8e294f67335.vbs

MD5 e917842be97ffbbdd7d9fecc5e03e2c3
SHA1 10824db5a90dc270fc7906e98cd1236a8b5941b2
SHA256 f0393f814c8f816169a6faee2024641a9619fdc6d25a59979e34304d113b12e8
SHA512 bcedc8026a464da00a82d7eb0f1de011d7c82298619fcaeacc28afa1479a6b5698f90273c5c68c483aa590510f3d130d9a0bb7af046181d8e0108c44d15b3b2d

memory/992-388-0x00000000011D0000-0x00000000016C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7c3c6656-a377-4ab8-94fc-2bb2c9b688cd.vbs

MD5 249d5594692ac42db25d7d0ca3687f3e
SHA1 b9ddf4b84d6e839a3b23cf8c5f9819ea90ca73d5
SHA256 6daa5934cf5d31c1ab7a745a688eccd3c30547527dfdc439c66a6cb9ca781066
SHA512 194ee43af385e5a0846ac1eeaa30e359883a87d11bac6b33ee8012ca0c94bebc8b696cbc802a5f32b4c8a4b52365cf2991a7e7d2365bb4f6bc941b810d3d02cc

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 21:26

Reported

2024-10-15 21:28

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe"

Signatures

Colibri Loader

loader colibri

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\SppExtComObj.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1C1E.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1C1E.tmp.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4C75.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4C75.tmp.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7C01.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7C01.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7C01.tmp.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp97B7.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp97B7.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp97B7.tmp.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB3CA.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB3CA.tmp.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp134F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp134F.tmp.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2E79.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2E79.tmp.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp792E.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp792E.tmp.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA985.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA985.tmp.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC460.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC460.tmp.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDFA8.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDFA8.tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2076 set thread context of 2060 N/A C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe
PID 5000 set thread context of 4344 N/A C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe
PID 4896 set thread context of 2244 N/A C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe
PID 3744 set thread context of 964 N/A C:\Users\Admin\AppData\Local\Temp\tmp1C1E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp1C1E.tmp.exe
PID 5032 set thread context of 2872 N/A C:\Users\Admin\AppData\Local\Temp\tmp4C75.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4C75.tmp.exe
PID 4400 set thread context of 1760 N/A C:\Users\Admin\AppData\Local\Temp\tmp7C01.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp7C01.tmp.exe
PID 3120 set thread context of 5024 N/A C:\Users\Admin\AppData\Local\Temp\tmp97B7.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp97B7.tmp.exe
PID 4256 set thread context of 1760 N/A C:\Users\Admin\AppData\Local\Temp\tmpB3CA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB3CA.tmp.exe
PID 3732 set thread context of 1824 N/A C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe
PID 4756 set thread context of 1116 N/A C:\Users\Admin\AppData\Local\Temp\tmp134F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp134F.tmp.exe
PID 4344 set thread context of 4900 N/A C:\Users\Admin\AppData\Local\Temp\tmp2E79.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2E79.tmp.exe
PID 1136 set thread context of 740 N/A C:\Users\Admin\AppData\Local\Temp\tmp792E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp792E.tmp.exe
PID 4600 set thread context of 5012 N/A C:\Users\Admin\AppData\Local\Temp\tmpA985.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA985.tmp.exe
PID 1556 set thread context of 4380 N/A C:\Users\Admin\AppData\Local\Temp\tmpC460.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpC460.tmp.exe
PID 2016 set thread context of 1912 N/A C:\Users\Admin\AppData\Local\Temp\tmpDFA8.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDFA8.tmp.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\MusNotification.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\aa97147c4c782d C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Program Files\Common Files\System\uk-UA\sysmon.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXA9FD.tmp C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Program Files\Common Files\System\uk-UA\RCXAC13.tmp C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Program Files\Common Files\System\uk-UA\sysmon.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXAE27.tmp C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Program Files\Common Files\System\uk-UA\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCXB753.tmp C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\MusNotification.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\Speech\System.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Windows\InputMethod\SHARED\Registry.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Windows\InputMethod\SHARED\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Windows\InputMethod\SHARED\RCXB2BD.tmp C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Windows\en-US\RCXB53E.tmp C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Windows\en-US\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Windows\Registration\CRMLog\sysmon.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Windows\en-US\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Windows\en-US\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Windows\Registration\CRMLog\sysmon.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File created C:\Windows\Registration\CRMLog\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Windows\InputMethod\SHARED\Registry.exe C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
File opened for modification C:\Windows\Registration\CRMLog\RCXBB6C.tmp C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpC460.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp1C1E.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp4C75.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp7C01.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp134F.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp97B7.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB3CA.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpDFA8.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp7C01.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp792E.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp97B7.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp2E79.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA985.tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\en-US\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\en-US\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\en-US\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\en-US\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\en-US\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\en-US\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\en-US\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\en-US\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\en-US\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\en-US\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\en-US\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\en-US\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\en-US\SppExtComObj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\en-US\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\en-US\SppExtComObj.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A
N/A N/A C:\Windows\en-US\SppExtComObj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\SppExtComObj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4540 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe
PID 4540 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe
PID 4540 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe
PID 2076 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe
PID 2076 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe
PID 2076 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe
PID 2076 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe
PID 2076 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe
PID 2076 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe
PID 2076 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe
PID 4540 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\en-US\SppExtComObj.exe
PID 4540 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe C:\Windows\en-US\SppExtComObj.exe
PID 4164 wrote to memory of 4732 N/A C:\Windows\en-US\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4164 wrote to memory of 4732 N/A C:\Windows\en-US\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4164 wrote to memory of 4868 N/A C:\Windows\en-US\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4164 wrote to memory of 4868 N/A C:\Windows\en-US\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4164 wrote to memory of 5000 N/A C:\Windows\en-US\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe
PID 4164 wrote to memory of 5000 N/A C:\Windows\en-US\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe
PID 4164 wrote to memory of 5000 N/A C:\Windows\en-US\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe
PID 5000 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe
PID 5000 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe
PID 5000 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe
PID 5000 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe
PID 5000 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe
PID 5000 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe
PID 5000 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe
PID 4732 wrote to memory of 4088 N/A C:\Windows\System32\WScript.exe C:\Windows\en-US\SppExtComObj.exe
PID 4732 wrote to memory of 4088 N/A C:\Windows\System32\WScript.exe C:\Windows\en-US\SppExtComObj.exe
PID 4088 wrote to memory of 4364 N/A C:\Windows\en-US\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4088 wrote to memory of 4364 N/A C:\Windows\en-US\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4088 wrote to memory of 32 N/A C:\Windows\en-US\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4088 wrote to memory of 32 N/A C:\Windows\en-US\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4088 wrote to memory of 4896 N/A C:\Windows\en-US\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe
PID 4088 wrote to memory of 4896 N/A C:\Windows\en-US\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe
PID 4088 wrote to memory of 4896 N/A C:\Windows\en-US\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe
PID 4896 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe
PID 4896 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe
PID 4896 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe
PID 4896 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe
PID 4896 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe
PID 4896 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe
PID 4896 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\SppExtComObj.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe

"C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\System\uk-UA\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\uk-UA\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\uk-UA\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\InputMethod\SHARED\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\SHARED\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\en-US\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\MusNotification.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\sysmon.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\en-US\SppExtComObj.exe

"C:\Windows\en-US\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4803edbc-d38d-4bef-b325-68bef0b695e8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d14e8953-a50e-4f1c-800d-036103754e0e.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpCEAA.tmp.exe"

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5414ff24-9c20-45bd-b3d4-bae51dfd2320.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba12f97b-54b9-4a8f-beba-0c26a177c549.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe"

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d886133f-6794-49f5-8f7b-9b04223c11c7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\175740aa-0ac3-40a8-a63d-b5536313a653.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp1C1E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1C1E.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp1C1E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1C1E.tmp.exe"

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91fa9e4b-b345-4291-a4b4-213181754820.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42db24ba-6c88-425f-b913-3883b1d7571c.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp4C75.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4C75.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp4C75.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4C75.tmp.exe"

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a553cb9-38c6-4b59-bff5-21f473b2107e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb439132-7a07-4cc5-a187-ba38a89375a8.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp7C01.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7C01.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp7C01.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7C01.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp7C01.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7C01.tmp.exe"

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6371c650-be7b-4d15-b987-b38e5e2bc2e8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0206a480-6315-4274-b4e2-526301786896.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp97B7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp97B7.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp97B7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp97B7.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp97B7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp97B7.tmp.exe"

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e91b5c64-74e8-44e1-9855-4e568ac4227a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6042c1aa-bcb6-4da3-8203-bccbfa0a603a.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpB3CA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB3CA.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpB3CA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB3CA.tmp.exe"

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\838b8312-660f-46d9-a5e2-0e18a945c4cf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7e7ed6e-32b2-4683-baa1-bbfbcd959244.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe"

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffa82df4-009f-4ab4-98f4-b9c222120384.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\027dddc3-71a0-405c-a51d-17f8184f6716.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp134F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp134F.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp134F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp134F.tmp.exe"

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\508e5245-12b9-4b77-be52-93344835c4e7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9760acd6-e897-448f-aa24-400615576aa5.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp2E79.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2E79.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp2E79.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2E79.tmp.exe"

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\406024bb-62b1-4a29-ae1c-054cab11baf4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6a2b56a-a722-4940-bb39-8dd34e7d141e.vbs"

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50a46d2c-9a0f-40ed-853d-7669b56d8ad5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b3d9851-740e-47fb-99a3-63e709ce8089.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp792E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp792E.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp792E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp792E.tmp.exe"

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb241d2d-1f8e-4802-9385-9d2e185a28e4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b67399b3-ef07-4caa-bcfa-d1b60deabbf8.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpA985.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA985.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpA985.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA985.tmp.exe"

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3858a70c-4a3d-4cc6-904f-97edda7bf540.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fc5a0f6-f647-40ea-bf2b-e950f9afa666.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpC460.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC460.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpC460.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC460.tmp.exe"

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\en-US\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc75dbf5-ca9b-4a93-857b-ecf0f5722af4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f948150-379e-4580-b53e-456dab47f8e1.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpDFA8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDFA8.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpDFA8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDFA8.tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 8.2.21.104.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp

Files

memory/4540-1-0x0000000000CE0000-0x00000000011D4000-memory.dmp

memory/4540-0-0x00007FF81EA33000-0x00007FF81EA35000-memory.dmp

memory/4540-2-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

memory/4540-3-0x000000001C2B0000-0x000000001C3DE000-memory.dmp

memory/4540-4-0x0000000001A60000-0x0000000001A7C000-memory.dmp

memory/4540-5-0x00000000034A0000-0x00000000034F0000-memory.dmp

memory/4540-7-0x0000000001A90000-0x0000000001AA0000-memory.dmp

memory/4540-6-0x0000000001A80000-0x0000000001A88000-memory.dmp

memory/4540-8-0x0000000003450000-0x0000000003466000-memory.dmp

memory/4540-9-0x0000000003470000-0x0000000003480000-memory.dmp

memory/4540-10-0x0000000003480000-0x000000000348A000-memory.dmp

memory/4540-11-0x0000000003490000-0x00000000034A2000-memory.dmp

memory/4540-14-0x0000000003500000-0x000000000350E000-memory.dmp

memory/4540-15-0x0000000003630000-0x000000000363E000-memory.dmp

memory/4540-13-0x00000000034F0000-0x00000000034FA000-memory.dmp

memory/4540-12-0x000000001CE10000-0x000000001D338000-memory.dmp

memory/4540-18-0x0000000003660000-0x000000000366C000-memory.dmp

memory/4540-17-0x0000000003650000-0x0000000003658000-memory.dmp

memory/4540-16-0x0000000003640000-0x0000000003648000-memory.dmp

C:\Recovery\WindowsRE\csrss.exe

MD5 f11cb56089d86b89e8a22e2be3399c89
SHA1 f1143767c26d899493b0952228cb15e29b61930b
SHA256 4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c
SHA512 cf9a11bdc1d3955296be88a0b754f4e0e7f80e6af8afebab81db27e73618df4659dd78520288fab563dc5db4011b363278b9116cc0d496ea5b82bf489d56a11a

C:\Users\Admin\AppData\Local\Temp\tmpABF2.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/2060-72-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Windows\en-US\RCXB53E.tmp

MD5 ab2df0fdd5bd3e94954339a70304d3b5
SHA1 53674cc4a1e9b8eae8728601eec629042c16bb7a
SHA256 b296818508b0ed6cf5b5b10a1a1c833433608a23b06b457efa016797a6a42907
SHA512 0b9744c639d7da7fc5cdb3d1d469fe143a6981f026041a88dca01aed43973b74e2fe69a1524b39a9f41a377c34ffec56bad45d3067809ec9e556666b6edd1675

memory/536-175-0x000001BFBA8D0000-0x000001BFBA8F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ituzjk4.wku.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4540-281-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

memory/4164-282-0x00000000035E0000-0x00000000035F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Temp\4803edbc-d38d-4bef-b325-68bef0b695e8.vbs

MD5 9bbebad181a38cd6154b15a49a18af26
SHA1 080da19ca0ad3ba56b359f8821f16deae961a827
SHA256 b7235c8fa94bc4739d4ea06ba12f0b7a903de06bc5fe06b063d8d81bb3316364
SHA512 82ea8cd7f20576c8b85db19d91ecefc351dcbc43077abb2e30f1ff3e6dfc75c036015e7b320692a6661a5daa7cea972d1f942430498dd9ad17fa6a8aaf55bfa6

C:\Users\Admin\AppData\Local\Temp\d14e8953-a50e-4f1c-800d-036103754e0e.vbs

MD5 5c4c51eaf50609e9cf37daead996bcd4
SHA1 a44dbadd5b8e2cf41511a6c385aa240738d8d789
SHA256 4149adf477dab1dc70e22fc249df2ee41128c335bcc879cb0ff6e2df7f538fad
SHA512 c44dff6e1c860378b20b7022b08b55cd765ae30daa2aedf2f45d765206c2c95dda28fb52a23cd69cfcc0b2b3f5cbf2a9ca82de21cd6dee911be6fde51a235591

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\5414ff24-9c20-45bd-b3d4-bae51dfd2320.vbs

MD5 2a2b776e1d368e3680704df3ee9f4a28
SHA1 112c086cc837742ee1dea4d6cbacdc9b8b139957
SHA256 e0edf71fc1bda87fdbbf338e46a0fb124453fbc8b526d551928c5f340b652b4e
SHA512 1fcf3b70ca39783c83c17daf30ce1019a42da1393ac8fbdfd22c06433ba73f5279eb4ab7a181eb1ea637194643d1837d0a64fe53bd635ef8742c5d676a2a37a2

C:\Users\Admin\AppData\Local\Temp\d886133f-6794-49f5-8f7b-9b04223c11c7.vbs

MD5 93698c214dbcf329fefc25e3b8b47bfb
SHA1 92f0abf4746bb71a563a2ae691b6766c47326048
SHA256 5585dc56f35833821763260a1f78ac0b5b30058a5bdacbfd58a5aad1073a4a96
SHA512 60a0c62f4f4320d69b3707bfbeb01df9ea70f983b7ca5cfdc29d8c2c8ebbda1523ff1f7574e610c6aba0fc7f8b04bfb7d27495d1681ed1166fda080e06575b1e

C:\Users\Admin\AppData\Local\Temp\91fa9e4b-b345-4291-a4b4-213181754820.vbs

MD5 528d5f34a499d5e0bda94fd10207575a
SHA1 ffc909c267f7593dde0541e88ca7b364f1e7ea83
SHA256 34e8b5bb92868acf2ce65afb5021fbb72fb923fb272752da5204db8838ee65a5
SHA512 3cd8fe1ce67f3fce1706a39ee71fa872079ca002071e3007e04e1db0efb286f305d170cc59cd932c7125eee8f3f72c0f8216e88b4abd607ee78dd7b67fe6fd1e

C:\Users\Admin\AppData\Local\Temp\2a553cb9-38c6-4b59-bff5-21f473b2107e.vbs

MD5 e588faa7880fe1c949c6464122c27497
SHA1 ed418ab689b3e685c2ca93c955f381a5b4d0b52a
SHA256 366a8d0a80b7697fc8907671a9633b7c9646dc5c64dc48901da29f39c6620b88
SHA512 3f971185e041b9932804a3ba278eab764953ce02d04081a4aa58f081a853b35105926089f718281f8db264fb29323188c8fe1223c6c0de2de89a1c7f8fb2667d

C:\Users\Admin\AppData\Local\Temp\6371c650-be7b-4d15-b987-b38e5e2bc2e8.vbs

MD5 e008f7ecd3ac92dd6671283819c6c915
SHA1 6e13fafe7cd4d2bc4c38c4fab60adf33a9ac1402
SHA256 05e152530ceb04caea1e7ea827d7410e5e74b1bf4cfd5227d6049f716552de8f
SHA512 07fe9efe311f8854e68c74415cd196a396e815b07c39f36f5dd3b1b4a1426bea15316ef8e7867cfa8312e1e238b8fa6ee235733181ea5266e9a5d83a73e39f17

C:\Users\Admin\AppData\Local\Temp\e91b5c64-74e8-44e1-9855-4e568ac4227a.vbs

MD5 1150f15013097afa0a37dae106cc61e7
SHA1 f99d85ded6f7efa9466da3cec0273853ab4b1c77
SHA256 90b7a10010125030b4183422a7a3f116252a03f2fcea9b7e276ce62753a6d29d
SHA512 2318fd33378452787a9176dbd17702290847577d5e3dc320fb885d67582d6edf70eb727ce7fab2c388f03108215f0e2d9582b3e4311928927fff38f793101771

memory/2312-557-0x000000001B310000-0x000000001B322000-memory.dmp

memory/1424-574-0x000000001C090000-0x000000001C0A2000-memory.dmp