Malware Analysis Report

2025-06-16 00:47

Sample ID 241107-1tv9zayhqh
Target cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N
SHA256 cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9

Threat Level: Known bad

The file cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

Process spawned unexpected child process

UAC bypass

DcRat

DCRat payload

Dcrat family

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

System policy modification

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 21:57

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 21:57

Reported

2024-11-07 21:59

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MSBuild\csrss.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\csrss.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File opened for modification C:\Program Files\Windows Mail\RCXF876.tmp C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\csrss.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCX86.tmp C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File created C:\Program Files\Windows Mail\wininit.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File created C:\Program Files\Windows Mail\it-IT\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\csrss.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File created C:\Program Files (x86)\MSBuild\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\RCXF46F.tmp C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File opened for modification C:\Program Files\Windows Mail\wininit.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File opened for modification C:\Program Files\Windows Mail\it-IT\RCX6FE.tmp C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\RCXFA7A.tmp C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File opened for modification C:\Program Files\Windows Mail\it-IT\Idle.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\ad12c14214c8f1 C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File created C:\Program Files\Windows Mail\56085415360792 C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File created C:\Program Files\Windows Mail\it-IT\Idle.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
PID 2788 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
PID 2788 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
PID 1820 wrote to memory of 404 N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WScript.exe
PID 1820 wrote to memory of 404 N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WScript.exe
PID 1820 wrote to memory of 404 N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WScript.exe
PID 1820 wrote to memory of 2812 N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WScript.exe
PID 1820 wrote to memory of 2812 N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WScript.exe
PID 1820 wrote to memory of 2812 N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WScript.exe
PID 404 wrote to memory of 956 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
PID 404 wrote to memory of 956 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
PID 404 wrote to memory of 956 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
PID 956 wrote to memory of 2916 N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WScript.exe
PID 956 wrote to memory of 2916 N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WScript.exe
PID 956 wrote to memory of 2916 N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WScript.exe
PID 956 wrote to memory of 1572 N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WScript.exe
PID 956 wrote to memory of 1572 N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WScript.exe
PID 956 wrote to memory of 1572 N/A C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WScript.exe
PID 2916 wrote to memory of 2328 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

"C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9Nc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9Nc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\it-IT\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\it-IT\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\My Documents\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\CSC\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\CSC\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\CSC\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\it-IT\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CSC\Idle.exe'

C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

"C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\018527ee-67a0-4a8b-95cf-97311b97c74f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17afe48c-c6c5-4160-8903-b68b5290aa82.vbs"

C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

"C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30527b78-b0a3-43dc-bc63-74cb918042d1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc66417e-29a9-49ee-b6ef-f0ef637b77ce.vbs"

C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

"C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d146688-d242-4f28-bc0e-be30f4352735.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa144082-91b9-46ac-a3f8-16387dceb282.vbs"

C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

"C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bf7f421-3d9f-478d-aebd-158c088f3fd7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c3e5302-efcf-4864-8b74-07b80f3c3464.vbs"

C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

"C:\Program Files (x86)\Windows Defender\ja-JP\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d5006e3-5053-4f26-80b2-d278e99d8097.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\669bbe5d-45ad-4d1f-b460-4062d73f6f13.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0854644.xsph.ru udp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp

Files

memory/2788-0-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

memory/2788-1-0x00000000000D0000-0x000000000029E000-memory.dmp

memory/2788-2-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

memory/2788-3-0x0000000000590000-0x00000000005AC000-memory.dmp

memory/2788-4-0x00000000006B0000-0x00000000006B8000-memory.dmp

memory/2788-5-0x00000000006C0000-0x00000000006D0000-memory.dmp

memory/2788-7-0x00000000006D0000-0x00000000006E2000-memory.dmp

memory/2788-6-0x0000000000860000-0x0000000000876000-memory.dmp

memory/2788-8-0x0000000000890000-0x00000000008A0000-memory.dmp

memory/2788-9-0x0000000000880000-0x000000000088A000-memory.dmp

memory/2788-10-0x00000000008A0000-0x00000000008B2000-memory.dmp

memory/2788-11-0x0000000002100000-0x000000000210A000-memory.dmp

memory/2788-12-0x0000000002110000-0x000000000211E000-memory.dmp

memory/2788-13-0x0000000002160000-0x000000000216E000-memory.dmp

memory/2788-14-0x0000000002170000-0x000000000217C000-memory.dmp

memory/2788-15-0x0000000002280000-0x000000000228C000-memory.dmp

C:\Program Files (x86)\MSBuild\csrss.exe

MD5 d460777963c85344556aa9d4adc322a0
SHA1 cb0f873b26e938ef7d5b5dbe71aa23bc311400d3
SHA256 cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9
SHA512 a247b0454747177cdc7453bd5208b78ed8e37332b68d672de46e9ea0f2dc0da9947d3fc40f6bfcc6c74fd7a8ef371a311217c9f5c3c0f13c291d69dd2f9590af

C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\csrss.exe

MD5 95255ef6083c1f4c9ac91bd99c82d96f
SHA1 70a72353c3a3c6db5d6167ca7da19dfd0a14cdc7
SHA256 fa78834311026062016ced71b462e9dd964da7004fd7d73798315f2db443c60e
SHA512 02ddd1a906d8b3bda87d11a00ee901dd1438d544ab25e64a55f6da20d0b5180b000b95130319c39583d9962efd3e4d9397c1e072cde9293ca47c358756122061

C:\Program Files\Windows Mail\it-IT\Idle.exe

MD5 e0adbc1932d25157185d6748ed059ca3
SHA1 81cf0dcf31b70b243bbc91bdb057ed79297feb4a
SHA256 939a5b2fae65e9c253878e48eb9ce1dd6e8ab67fbc412adacc86b26bab85149c
SHA512 ebd66384a2fdb3a3de0c1e7ac160b78b4bac2f17631fe7d2c2e9aa1414fd67ee58f85cfb6bc952a0a06109e764fefab4783ea2226ae49c13268d17f569e95904

memory/2788-141-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 4b9bd5feca0d530079ffc5769d4ad4fb
SHA1 c4473d728f043dbd390140925070c3e8c3d033d1
SHA256 12a374de670f67fd16b1d603ffd105373d2337e7fde7b971b9ba35759dea567e
SHA512 eb1dabba6882e60cd04def0aede4c96f1dc322cb545e03338df04a3c4c66ce0a4edca31701f5c5588a7c635edd5055fdb0438d38e92322d64ca9b0c363970221

memory/3016-164-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

memory/1820-166-0x0000000000CE0000-0x0000000000EAE000-memory.dmp

memory/3016-165-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

memory/2788-167-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

memory/1820-227-0x00000000002B0000-0x00000000002C2000-memory.dmp

memory/1820-228-0x00000000005E0000-0x00000000005F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\018527ee-67a0-4a8b-95cf-97311b97c74f.vbs

MD5 24fa437dd5d1ef58d041754e75e800df
SHA1 d3025c5e9a348ba4e2f0da0c2216aac79fd92d10
SHA256 91ef4bdd7a6f15000edc552bb25d598fee4f0e719fba650d46dd49d92b8c63bd
SHA512 50f19e0b615ca33d7aaf7c3efa81c3a3c3f9bd44ebdf707c286160985ebd251609ea85552a2314efa92abf6ed3a5349295fff2299f7a2b2d463173f381271810

C:\Users\Admin\AppData\Local\Temp\17afe48c-c6c5-4160-8903-b68b5290aa82.vbs

MD5 0766dea3279ec60e9304a8add730f663
SHA1 415852a172656bbff210f7708084f45936e547ea
SHA256 1081717685d166ed48701a5c657edd34d49a2d226b48656afe1cab03de3d687d
SHA512 02d9773dbee085120634cb4f8462f7b0aac2a78d495d78ddd43a16d5c870e8dfff83dbcb8e283e1c2eeaf220c722d46ac453a97eb10917532b314e2c1f1736b0

memory/956-239-0x00000000004B0000-0x00000000004C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\30527b78-b0a3-43dc-bc63-74cb918042d1.vbs

MD5 651f4ef3089659a01c82d362a08d6190
SHA1 1b4a4592ad29a341100a50e2424bc5f8324fa54d
SHA256 59021df6b2abe08e281a6cde226e2d9da0107fe3eeaa7f8d2185023b8561dca8
SHA512 7da93fd19d307d541247e88a23efd4e1cf8c1b7b591b3801e5663047f4eeac5949a4d0ef288a854b65434fa34c852ba5478590886a66a60178bc4ef9ad822d9b

memory/2328-251-0x0000000000E80000-0x000000000104E000-memory.dmp

memory/2328-252-0x0000000000B80000-0x0000000000B92000-memory.dmp

memory/2328-253-0x0000000000C50000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2d146688-d242-4f28-bc0e-be30f4352735.vbs

MD5 aff1f4612f1d9ac86b4c5a7274477e75
SHA1 b264252a6e39ba5403b63c62c866acfbfbdadf57
SHA256 a50a22b8ef8803a5e84e232084536692059223e7d52758a57c5f67d59432d6b1
SHA512 ba21e980636086599a19578d306023e97e0e6caae6e0efd80107b6cf9151238bc05fe6b51f8a2edf34ed4937163801a41bc933f1d040e5254dcb9bebc9e186ce

memory/1412-265-0x0000000001250000-0x000000000141E000-memory.dmp

memory/1412-266-0x0000000000A50000-0x0000000000A62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9bf7f421-3d9f-478d-aebd-158c088f3fd7.vbs

MD5 41641990479348fe14ef74938ae9daa2
SHA1 4271d36bdba1783f3642fc2b5f15a2af25b32302
SHA256 2af119bc660fdaef55741790fe03f37bd93342679a9399b40ab05ce7c34fbe5b
SHA512 a03eee1120764cf132dadad4f68a88fb1e6124edef45c74583069c49ad2a74c5e00d89eb25c1fb8dd82aa87e1843772d8a4df32ab0221f3b75ed25be11248f11

C:\Users\Admin\AppData\Local\Temp\2d5006e3-5053-4f26-80b2-d278e99d8097.vbs

MD5 14903fc9ecb786193eea384c486e6345
SHA1 0befa37cb79b0fa66e5e36139566ae0454826993
SHA256 0515547483ecc7e89eebdbe5f6de6b2fb1271fea942f1635e44deb3bd39b70c4
SHA512 4c505e04c7158653f8345b30e75a9e83db9720cffc17f1ade784ccfbbf1839e81074aef7c5565986e275d6bea3eac3bf8ad249c59b70f8528963a1aeb0aba424

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 21:57

Reported

2024-11-07 21:59

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\services.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\services.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\services.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Mail\wininit.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File created C:\Program Files\Windows Mail\56085415360792 C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
File created C:\Program Files\Windows Mail\wininit.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Recovery\WindowsRE\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Recovery\WindowsRE\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Recovery\WindowsRE\services.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Recovery\WindowsRE\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Recovery\WindowsRE\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Recovery\WindowsRE\services.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\WindowsRE\services.exe N/A
N/A N/A C:\Recovery\WindowsRE\services.exe N/A
N/A N/A C:\Recovery\WindowsRE\services.exe N/A
N/A N/A C:\Recovery\WindowsRE\services.exe N/A
N/A N/A C:\Recovery\WindowsRE\services.exe N/A
N/A N/A C:\Recovery\WindowsRE\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\services.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\services.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\services.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\services.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\services.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\services.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
PID 1708 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
PID 2652 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Recovery\WindowsRE\services.exe
PID 2652 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe C:\Recovery\WindowsRE\services.exe
PID 4380 wrote to memory of 3516 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 4380 wrote to memory of 3516 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 4380 wrote to memory of 2548 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 4380 wrote to memory of 2548 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 3516 wrote to memory of 2820 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\services.exe
PID 3516 wrote to memory of 2820 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\services.exe
PID 2820 wrote to memory of 1348 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 2820 wrote to memory of 1348 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 2820 wrote to memory of 4512 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 2820 wrote to memory of 4512 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 1348 wrote to memory of 5072 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\services.exe
PID 1348 wrote to memory of 5072 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\services.exe
PID 5072 wrote to memory of 1700 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 5072 wrote to memory of 1700 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 5072 wrote to memory of 1972 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 5072 wrote to memory of 1972 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 1700 wrote to memory of 2384 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\services.exe
PID 1700 wrote to memory of 2384 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\services.exe
PID 2384 wrote to memory of 2160 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 2384 wrote to memory of 2160 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 2384 wrote to memory of 2848 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 2384 wrote to memory of 2848 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 2160 wrote to memory of 5004 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\services.exe
PID 2160 wrote to memory of 5004 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\services.exe
PID 5004 wrote to memory of 4528 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 5004 wrote to memory of 4528 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 5004 wrote to memory of 3932 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 5004 wrote to memory of 3932 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 4528 wrote to memory of 3612 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\services.exe
PID 4528 wrote to memory of 3612 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\services.exe
PID 3612 wrote to memory of 3992 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 3612 wrote to memory of 3992 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 3612 wrote to memory of 2592 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe
PID 3612 wrote to memory of 2592 N/A C:\Recovery\WindowsRE\services.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\services.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

"C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'

C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

"C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'

C:\Recovery\WindowsRE\services.exe

"C:\Recovery\WindowsRE\services.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14157f7e-910c-4ffe-b8b8-47484f1ae9ca.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e6f0bd1-af4c-4452-be48-3f4c097cfe3f.vbs"

C:\Recovery\WindowsRE\services.exe

C:\Recovery\WindowsRE\services.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34ea7fbf-4878-436b-87f2-c80b2c75ce30.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fabaf2d-04cd-4996-9faf-70a9f424f53b.vbs"

C:\Recovery\WindowsRE\services.exe

C:\Recovery\WindowsRE\services.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45cda749-46ef-4ed2-915b-c6acb7bcf6a9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\334ae3a9-714d-4c7b-9bed-7653947e4a11.vbs"

C:\Recovery\WindowsRE\services.exe

C:\Recovery\WindowsRE\services.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e2ff5bd-4c47-46ad-9bd2-544ccfbea422.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f4ccf5f-73c9-417d-87aa-de16593b7a8f.vbs"

C:\Recovery\WindowsRE\services.exe

C:\Recovery\WindowsRE\services.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c745a6d3-d8ca-4e8a-ace5-e5f978349a4e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a989b9e-b027-45e3-97a7-a24a3ee70be0.vbs"

C:\Recovery\WindowsRE\services.exe

C:\Recovery\WindowsRE\services.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c80b87e3-b704-456d-b113-0d8d43bb5182.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b984d708-6c5e-443d-9861-2a104a855a0d.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 a0854644.xsph.ru udp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 72.208.201.84.in-addr.arpa udp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
RU 141.8.197.42:80 a0854644.xsph.ru tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 141.8.197.42:80 a0854644.xsph.ru tcp

Files

memory/1708-0-0x00007FFE0B013000-0x00007FFE0B015000-memory.dmp

memory/1708-1-0x0000000000890000-0x0000000000A5E000-memory.dmp

memory/1708-2-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

memory/1708-3-0x0000000002B90000-0x0000000002BAC000-memory.dmp

memory/1708-6-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

memory/1708-8-0x0000000002BE0000-0x0000000002BF2000-memory.dmp

memory/1708-7-0x0000000002BC0000-0x0000000002BD6000-memory.dmp

memory/1708-5-0x0000000002B30000-0x0000000002B38000-memory.dmp

memory/1708-4-0x000000001BD20000-0x000000001BD70000-memory.dmp

memory/1708-9-0x0000000002C10000-0x0000000002C20000-memory.dmp

memory/1708-10-0x0000000002BF0000-0x0000000002BFA000-memory.dmp

memory/1708-11-0x0000000002C00000-0x0000000002C12000-memory.dmp

memory/1708-12-0x000000001C3C0000-0x000000001C8E8000-memory.dmp

memory/1708-13-0x0000000002C20000-0x0000000002C2A000-memory.dmp

memory/1708-15-0x000000001BEA0000-0x000000001BEAE000-memory.dmp

memory/1708-14-0x000000001BE90000-0x000000001BE9E000-memory.dmp

memory/1708-16-0x000000001BEB0000-0x000000001BEBC000-memory.dmp

memory/1708-17-0x000000001BEC0000-0x000000001BECC000-memory.dmp

C:\Recovery\WindowsRE\dwm.exe

MD5 d460777963c85344556aa9d4adc322a0
SHA1 cb0f873b26e938ef7d5b5dbe71aa23bc311400d3
SHA256 cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9
SHA512 a247b0454747177cdc7453bd5208b78ed8e37332b68d672de46e9ea0f2dc0da9947d3fc40f6bfcc6c74fd7a8ef371a311217c9f5c3c0f13c291d69dd2f9590af

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_prnq2ice.lqi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1044-53-0x00000213756B0000-0x00000213756D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 a43e653ffb5ab07940f4bdd9cc8fade4
SHA1 af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256 c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA512 62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe.log

MD5 bbb951a34b516b66451218a3ec3b0ae1
SHA1 7393835a2476ae655916e0a9687eeaba3ee876e9
SHA256 eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA512 63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

memory/1708-77-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

memory/2652-78-0x000000001C030000-0x000000001C042000-memory.dmp

memory/2652-79-0x000000001C1A0000-0x000000001C1B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 54522d22658e4f8f87ecb947b71b8feb
SHA1 6a6144bdf9c445099f52211b6122a2ecf72b77e9
SHA256 af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a
SHA512 55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 def02d9cbf3553624aa606226770e69c
SHA1 4c10b8d53a467654de7d22b9e96aee8f61ae2c86
SHA256 d89a0d362229fc3a7042031aec4175ecbe776d9baffed142d3f147dfa57bcd71
SHA512 0640e7fd9374de59908c510114f18354a777397b163a63341a2e6bd8ef00d826aba6ad657ccc172f0790e423ecbaf737a0fa4ff05a85477e5b9e72f80d35dce1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ef72c47dbfaae0b9b0d09f22ad4afe20
SHA1 5357f66ba69b89440b99d4273b74221670129338
SHA256 692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA512 7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 085e0a3b869f290afea5688a8ac4e7c5
SHA1 0fedef5057708908bcca9e7572be8f46cef4f3ca
SHA256 1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c
SHA512 bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

C:\Users\Admin\AppData\Local\Temp\14157f7e-910c-4ffe-b8b8-47484f1ae9ca.vbs

MD5 c8c56cef6dcf3770b1addbc9a64f1923
SHA1 606867d4fb4693b160aa702f922157a979f60aa8
SHA256 ffa1b4f7e2aa04e96d7a48602e1a18274c3207e10d3674d5014ca236bbfa1688
SHA512 7fb7d39ef60376e5642792cf3001c7fa846a7b4f9ccf3abf75ad621d6f7ad93e9001673619523863c53915fc5a6ec216f09df683403c92b1c79fdb4b0fa228ce

C:\Users\Admin\AppData\Local\Temp\2e6f0bd1-af4c-4452-be48-3f4c097cfe3f.vbs

MD5 37ba87a1be9cb97a17bc2b0ee93c02ef
SHA1 279bdad2ef627145063d63932582b4086f7d5909
SHA256 5a22498845de07c35467f4f5030c623f76f363adca33df5935e1009e9ac115bf
SHA512 bf15f849dc947d20e33f9891003d50b56a336cc7bca58e850ea961e066737d354a459561437bc4d7fad81de18459873a1dd623067cb1a3001910a7338f477865

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\34ea7fbf-4878-436b-87f2-c80b2c75ce30.vbs

MD5 3be2c7376cb4f49c3e347f4bd2b9dfdf
SHA1 2f55df4988e441ff595586804af684180e244b0c
SHA256 7947c2da4993c2fcdd8e7edacc515f77ce58a016b00c71e3609d27f22c4e9cf3
SHA512 33519061337f6de6db57f718be12edc26a28d40b6e1580f4fb024d69b96c9ce489fbeee97fc477b76f0d0b90edd0fa9b51eb8d9c7c2ec70251eb8369ae92bc21

C:\Users\Admin\AppData\Local\Temp\45cda749-46ef-4ed2-915b-c6acb7bcf6a9.vbs

MD5 bf0982120d1e46678901defbd4607a2c
SHA1 a291ef0104662392190681538143ac4d588d34a8
SHA256 6987557a207650c0fe716ddfbc07dc6dcf09520b67ade52d22f544a34871437a
SHA512 b5bcd0a1a0e6a77bb8fdb60252236e9efa32166a25754092b51bd93b0340cd85781af6351d51397d3f9b505fad1a538ff32e46d62764deabb23757e7a49aefe8

C:\Users\Admin\AppData\Local\Temp\4e2ff5bd-4c47-46ad-9bd2-544ccfbea422.vbs

MD5 2662b9cef9f9770691fc33e417eb67b9
SHA1 bbcf4e3c784c0cd37c798adc4ae82820ce6b1572
SHA256 b961323552662e1ad12f4f4b29e08468c239be3228c8b5fefb1ae7a0f88da489
SHA512 ede46a6d98d0768c5cfd10de432e64866c659c539407462fc109ac63e4218e00080e18431d2bf3cdfeb79e17694439c6e1f1094d2c1561fbba165da824352c02

C:\Users\Admin\AppData\Local\Temp\c745a6d3-d8ca-4e8a-ace5-e5f978349a4e.vbs

MD5 f28f5593008260728f367fcf27a6c76a
SHA1 739ac33ebee5f764556e8e828823ad9d5c5614a0
SHA256 181efda7a00f834434a1972bd59224e4e305fae7c3f200ae12911db8d9b93ed3
SHA512 4b8bcd0616421ce139bc3ae4cd2e33ef4799a8c6d6d7919f0d13468b8c88f995b1c4ec88e38e9acf6b6b1f393c80e88ae7beb3c5b567d5a81640ba69536895d0

C:\Users\Admin\AppData\Local\Temp\c80b87e3-b704-456d-b113-0d8d43bb5182.vbs

MD5 7f11ccd6080d58c5de2f0c1b4d3923da
SHA1 ddf370d57321651837adfe0d96f4dc22e5881f60
SHA256 4b90cfcd10597e17a8c9e57b51da0f83eb179a055ef4863b353b971b2603c2fa
SHA512 41af159d40641f528e15f8aee8787dbd7353d42b1f7d5075585bb2de68244c8c0dfab092ee95512074feea8c4b86334877679d11e92dca061509f99c0144cbd2