Malware Analysis Report

2024-11-13 16:50

Sample ID 241108-t1vhpavkfx
Target 31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N
SHA256 31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2
Tags
dcrat evasion execution infostealer rat trojan colibri build1 discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2

Threat Level: Known bad

The file 31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan colibri build1 discovery loader

Process spawned unexpected child process

Colibri Loader

Colibri family

Dcrat family

DcRat

UAC bypass

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

System policy modification

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 16:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 16:31

Reported

2024-11-08 16:33

Platform

win7-20241023-en

Max time kernel

117s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\bg-BG\services.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Windows\System32\bg-BG\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Windows\System32\bg-BG\RCX7D10.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Windows\System32\bg-BG\services.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MSBuild\Microsoft\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\2df7d9e56efdae C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\RCX7A9E.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX8127.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\RCX8A11.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files\Windows Photo Viewer\es-ES\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\smss.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files (x86)\Google\CrashReports\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files (x86)\Google\CrashReports\RCX908A.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX7F24.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\smss.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\IME\IMETC10\HELP\dwm.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Windows\Vss\Writers\System\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Windows\servicing\de-DE\csrss.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Windows\IME\IMETC10\HELP\RCX787B.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Windows\RemotePackages\RemoteApps\winlogon.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\RCX880D.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Windows\winsxs\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Windows\RemotePackages\RemoteApps\RCX832B.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Windows\Vss\Writers\System\RCX8E86.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Windows\Vss\Writers\System\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Windows\IME\IMETC10\HELP\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Windows\RemotePackages\RemoteApps\winlogon.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Windows\RemotePackages\RemoteApps\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Windows\Vss\Writers\System\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Windows\IME\IMETC10\HELP\dwm.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
N/A N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
N/A N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
N/A N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
N/A N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
N/A N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
N/A N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
N/A N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\cmd.exe
PID 2824 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\cmd.exe
PID 2824 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\cmd.exe
PID 2768 wrote to memory of 1760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2768 wrote to memory of 1760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2768 wrote to memory of 1760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2768 wrote to memory of 2872 N/A C:\Windows\System32\cmd.exe C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
PID 2768 wrote to memory of 2872 N/A C:\Windows\System32\cmd.exe C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
PID 2768 wrote to memory of 2872 N/A C:\Windows\System32\cmd.exe C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
PID 2872 wrote to memory of 1304 N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe C:\Windows\System32\WScript.exe
PID 2872 wrote to memory of 1304 N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe C:\Windows\System32\WScript.exe
PID 2872 wrote to memory of 1304 N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe C:\Windows\System32\WScript.exe
PID 2872 wrote to memory of 1748 N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe C:\Windows\System32\WScript.exe
PID 2872 wrote to memory of 1748 N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe C:\Windows\System32\WScript.exe
PID 2872 wrote to memory of 1748 N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe C:\Windows\System32\WScript.exe
PID 1304 wrote to memory of 2488 N/A C:\Windows\System32\WScript.exe C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
PID 1304 wrote to memory of 2488 N/A C:\Windows\System32\WScript.exe C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
PID 1304 wrote to memory of 2488 N/A C:\Windows\System32\WScript.exe C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
PID 2488 wrote to memory of 1732 N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 1732 N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 1732 N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2124 N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2124 N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2124 N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe C:\Windows\System32\WScript.exe
PID 1732 wrote to memory of 2288 N/A C:\Windows\System32\WScript.exe C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
PID 1732 wrote to memory of 2288 N/A C:\Windows\System32\WScript.exe C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
PID 1732 wrote to memory of 2288 N/A C:\Windows\System32\WScript.exe C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
PID 2288 wrote to memory of 2340 N/A C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe

"C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\IMETC10\HELP\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\IME\IMETC10\HELP\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\IMETC10\HELP\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\bg-BG\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\bg-BG\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\bg-BG\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteApps\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteApps\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\System\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\System\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N3" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\CrashReports\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N3" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKezoIFTG2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

"C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dd63b14-ddc3-4bb3-b6f9-2fa1eaf10e9e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7eee2d7-f897-4ba0-843c-4d47b0a4068e.vbs"

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89fb5234-3d23-4c49-a6b7-c0837a6d5e02.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ceeaef7-acdb-4db2-8133-b5a6f3dad8b6.vbs"

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54da542d-0b70-48f8-ad85-05508b5e50d0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\092a8382-fe90-4f63-964f-67241c56ae37.vbs"

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e77c1db-a7da-4547-9390-ee2d9acaf075.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca815826-ca60-4be1-959f-89f769d9bdd5.vbs"

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ffda991-78ee-4d91-85b2-385947df9ed6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8e4ff4b-b0f2-49f8-ada0-6def49a78892.vbs"

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd5559ca-ae03-46dc-a37f-78b54a08c611.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\745df3e5-924f-4511-85c8-9f7ff2cd34ce.vbs"

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0cee2e5-13bd-4188-86af-b6ac54164a23.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48a59544-fd63-4c9d-97fc-41930a8f7c09.vbs"

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9a945e8-121d-4b6d-af62-a915ca985284.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\999312e5-7f98-4ece-a3b7-18840e9fd683.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp

Files

memory/2824-0-0x000007FEF5003000-0x000007FEF5004000-memory.dmp

memory/2824-1-0x0000000000870000-0x0000000000D64000-memory.dmp

memory/2824-2-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

memory/2824-3-0x000000001B6B0000-0x000000001B7DE000-memory.dmp

memory/2824-4-0x0000000000430000-0x000000000044C000-memory.dmp

memory/2824-5-0x0000000000450000-0x0000000000458000-memory.dmp

memory/2824-6-0x0000000002370000-0x0000000002380000-memory.dmp

memory/2824-7-0x0000000002410000-0x0000000002426000-memory.dmp

memory/2824-8-0x0000000002380000-0x0000000002390000-memory.dmp

memory/2824-9-0x0000000002430000-0x000000000243A000-memory.dmp

memory/2824-10-0x0000000002440000-0x0000000002452000-memory.dmp

memory/2824-11-0x00000000024D0000-0x00000000024DA000-memory.dmp

memory/2824-12-0x00000000024E0000-0x00000000024EE000-memory.dmp

memory/2824-13-0x00000000024F0000-0x00000000024FE000-memory.dmp

memory/2824-14-0x0000000002500000-0x0000000002508000-memory.dmp

memory/2824-15-0x0000000002510000-0x0000000002518000-memory.dmp

memory/2824-16-0x0000000002520000-0x000000000252C000-memory.dmp

C:\Program Files (x86)\Windows Photo Viewer\smss.exe

MD5 4f2a2b2ffa4db5771f5e9f6927ee7390
SHA1 dbcc615437c6925f3e18010854607e66c3e5bce3
SHA256 31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2
SHA512 51493c4ef3de3a62f6b630f24daf609d509a23cc1f663311496794a49e932fab57c0196f88688ddcd939028eead0bf46b2979bf5042c1ab5de3a0605a67c2f8e

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RCX859C.tmp

MD5 172280c3096ae734642701bd2a4fdf3b
SHA1 fe777c8f7afab4c95316bbc44c58f2d52e70b7be
SHA256 bc9f004ee7a56e7015b9bb01259ba30f521839668e5c20c3c747edad56a281d9
SHA512 d1220efa02ba6931cdc337df967fd6dc97ec3f8078ed1f995465f9b99c03a9d0c668c2181ad57528f6ce4ef85f0b59267b4f642fd6b575efa87fe789d35ec255

memory/2824-137-0x000007FEF5003000-0x000007FEF5004000-memory.dmp

memory/2824-152-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe

MD5 520872ea2146d2de1da75e6b5ba6e910
SHA1 0c90b3aa89f1994c61b1ab589171819eb65d3e51
SHA256 ab48b87e9ac0594687fc0dbaff4c2d21cd32fd65b24a26ca9fc7675626997f33
SHA512 4c25930cfe6e957e009ab2d928aae120d2375d774a3822de0bc0086046272f78db5f5f81bee2a423d040e31c25f0e3f810e822fbe40f7aee7418d293c98a507b

memory/2824-174-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1OTF67RNVZQEXDE1D8X6.temp

MD5 8b0528328445a4e62b5dffd2b29ba0b1
SHA1 38d538f69cbc222ff98594b598000d47bd5ebc2b
SHA256 6ab5955af19fad7d7e7dccfbf0cd87fe55908b56e80ee883e60fbc4ab46ab552
SHA512 23cb7668c55c7a78733f9da88651d0136f0efad835b64cef9f2d0880ceaac3256216a929a1f994d29ef3c98c1d61a9513f717ba44cd85d19d3e286d9d98813ab

memory/2492-203-0x00000000029F0000-0x00000000029F8000-memory.dmp

memory/1272-202-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YKezoIFTG2.bat

MD5 16543735f1aad73a528f84aee1f79022
SHA1 68e2e214f5f6392deb88a82d2b71976d670685cf
SHA256 a1b021629f7cec1419d5cc1f2888fc826f597a463779a6ffae60a38b83f56fda
SHA512 35c414b0d7d0246b672164444210dd2ef5e4408366e99453ff0c159e5dd47eb0becacf8d12288a6b6bbb8d935b9f93815d017e9e16bfcb60c227e65e0e03eb61

memory/2872-238-0x0000000000E80000-0x0000000001374000-memory.dmp

memory/2872-239-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1dd63b14-ddc3-4bb3-b6f9-2fa1eaf10e9e.vbs

MD5 bc1a38fd4fea61281b96250cbbecf71f
SHA1 ec8ae5f37ba0abb78187809fd2f48abbc8f086de
SHA256 7005fc75dbb49f6dc47c898cc617b588cc779078bda2e68a6fd9951a2f05b5d2
SHA512 3c6d0559cc6226baf909d250631068b4fbe7674c16575dd79d5dbe9b5fbb7a2913275ebdaac7c6d5733b0af3f2801a222cdc68cda517f6a0f83b4a10aebd151c

C:\Users\Admin\AppData\Local\Temp\e7eee2d7-f897-4ba0-843c-4d47b0a4068e.vbs

MD5 c4dded5ae764c3184ab02c5bde0698f2
SHA1 c6d447ceca9d3a86c49f70ce7f59e5bca0fdf74a
SHA256 01e6753e245376e2d7a7344c7a729ac24726fc7082f45923c22320d284056b6f
SHA512 20c613eb5d01ebfd8b17c6ecfb7d35d491701216b7cbd75081e0f5691d9ccdb6ce86f018e67fb708d7d11280d8ce43facc5a647901bb6ed2eba2f0916e50ef6c

C:\Users\Admin\AppData\Local\Temp\tmpC320.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/2488-253-0x00000000002F0000-0x00000000007E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\89fb5234-3d23-4c49-a6b7-c0837a6d5e02.vbs

MD5 61d043d12ae2615a20a718c67e7c54f4
SHA1 19a71624d069c891f5bcdbc2a1607070d66fdee0
SHA256 6b9f06e2ca0242b38c1f2a135a9d731167c483e8c96133ed38fe28e019fc3846
SHA512 f5804bb20ff5f2c3de475d4a7a310bf892162a40b62b6ef65f9e18eb33613401997ce47122888575a976a1739b46cdd078daa87dbc16282699433045c6661c4e

memory/2288-268-0x0000000000C60000-0x0000000001154000-memory.dmp

memory/2288-269-0x00000000005A0000-0x00000000005B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54da542d-0b70-48f8-ad85-05508b5e50d0.vbs

MD5 cbf1abb128b1eeb9a3910606356c580d
SHA1 0de780651f6b64befd0717238d187137c6b8ed79
SHA256 ffc067627c137ef66e9c273a9b5a58c538c46b9afee25aafa3d65998c0f7e10f
SHA512 fbaec0bb12a14fd1254fa17311283b2eaed8aa2ab0b5f6c0b83835ebe3cf86948c2728b88aafcb702d0e5c74b84f39b11120f764be127a891fe3499840907b3b

memory/2400-284-0x0000000000380000-0x0000000000874000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7e77c1db-a7da-4547-9390-ee2d9acaf075.vbs

MD5 5ecfd80387156763e27defbf3f453419
SHA1 d5332778aa31a9db78d5855506086a44e51645db
SHA256 592118b147928adc4bf3e2c047c5f1bb52e92aa8cf097c880dbd6be774fed371
SHA512 eb2b703a82dc5f29c5d9ca25f311760869cf88243541f8a053d5699866c6dd96500ed3c7e10b49de1a106704b24700aeefb038e7650c6047d56be3228cc149a9

memory/808-299-0x0000000001200000-0x00000000016F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8ffda991-78ee-4d91-85b2-385947df9ed6.vbs

MD5 ea8721f653357fc225a590dcc9ffbd04
SHA1 14720e7a804b94e1771af4b6a9d82339d9862d11
SHA256 a0e50f1861a9d85a6225dbe2dd05b92c713f76e48a06d1778ca79b05b481b6e8
SHA512 cd9c083365e2ae6f71dedee1dfa37a4d8972185869cf39b91ac8ee404993a9e76bff43117835610bb698469bcf309bb275e396a537c878760082f20310811aba

C:\Users\Admin\AppData\Local\Temp\bd5559ca-ae03-46dc-a37f-78b54a08c611.vbs

MD5 2448f598c6a0077571c1b4e355502967
SHA1 75f1e00e9cf135aea3b97efaa144b2e73ee0231c
SHA256 5a8b34e868f71398602c9c2dc5eb1bb1e420ee5ef794be54b1ec62389dfee5d0
SHA512 75505be8d8ff568d62863fc3a2bbc367d7ceb228edb4b08429638b35da4e4a5e77910fecbcfda4680616b8cfc46daecd4d59e99773226b8caa408a342ef2cd44

memory/1212-328-0x00000000002A0000-0x0000000000794000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0cee2e5-13bd-4188-86af-b6ac54164a23.vbs

MD5 af62624514d026e1cafa048b494a8ff6
SHA1 e50dcd339779c64ab386171851e0cbba04cb48c9
SHA256 d775f3f72118c6b8de88e28c2f5d9c6539537297684b61e768d6747c7fb3479d
SHA512 d364d466e7221e2ac365535edf3a8d5eddf0f5954ed7c35bafef2db334245506f0421a33d78ba22be44452f06dda0132e3f8d6fc871f77185b6f8eea74a1946f

memory/2964-343-0x0000000000FF0000-0x00000000014E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9a945e8-121d-4b6d-af62-a915ca985284.vbs

MD5 b2c45c4fa767d5e9c2ad8668599e237d
SHA1 641375e69baa3987e547791b0746aed20a7a7554
SHA256 fc806d8db270279193b331429b78194267651fab4efb44f43f1bdfb7bbc7d587
SHA512 503433977b3350bf866e7cb71649dbfd1a3e3be55730a0d32fcfa622c9bc485b596ebf9f3998f524503c65d4b8fecf14e88a0fe97fec908f5a28561ae12a0c92

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 16:31

Reported

2024-11-08 16:33

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe"

Signatures

Colibri Loader

loader colibri

Colibri family

colibri

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\ShellComponents\System.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp31B9.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp31B9.tmp.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4F54.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4F54.tmp.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6CBF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6CBF.tmp.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF354.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF354.tmp.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp26F7.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp26F7.tmp.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp742C.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp742C.tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\host\2df7d9e56efdae C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\RCXC184.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCXCA41.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\2df7d9e56efdae C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files\Windows Portable Devices\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files\dotnet\host\RCXC398.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files (x86)\Microsoft\dllhost.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC82D.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files\dotnet\host\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files\Windows Portable Devices\dwm.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXB673.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\dllhost.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files\dotnet\host\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\dwm.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Program Files (x86)\Microsoft\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ShellComponents\RCXBF41.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Windows\ShellComponents\System.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Windows\Migration\WTR\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Windows\Migration\WTR\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Windows\ShellComponents\System.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File created C:\Windows\ShellComponents\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Windows\Migration\WTR\RCXBAAB.tmp C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
File opened for modification C:\Windows\Migration\WTR\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp742C.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp31B9.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpF354.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp26F7.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp4F54.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp6CBF.tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\ShellComponents\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\ShellComponents\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\ShellComponents\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\ShellComponents\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\ShellComponents\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\ShellComponents\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\ShellComponents\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\ShellComponents\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\ShellComponents\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\ShellComponents\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\ShellComponents\System.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A
N/A N/A C:\Windows\ShellComponents\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellComponents\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellComponents\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellComponents\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellComponents\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellComponents\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellComponents\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellComponents\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellComponents\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellComponents\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellComponents\System.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellComponents\System.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe
PID 2848 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe
PID 2848 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe
PID 632 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe
PID 632 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe
PID 632 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe
PID 1772 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe
PID 1772 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe
PID 1772 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe
PID 1772 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe
PID 1772 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe
PID 1772 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe
PID 1772 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe
PID 2848 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\ShellComponents\System.exe
PID 2848 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe C:\Windows\ShellComponents\System.exe
PID 4588 wrote to memory of 4676 N/A C:\Windows\ShellComponents\System.exe C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe
PID 4588 wrote to memory of 4676 N/A C:\Windows\ShellComponents\System.exe C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe
PID 4588 wrote to memory of 4676 N/A C:\Windows\ShellComponents\System.exe C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe
PID 4588 wrote to memory of 1276 N/A C:\Windows\ShellComponents\System.exe C:\Windows\System32\WScript.exe
PID 4588 wrote to memory of 1276 N/A C:\Windows\ShellComponents\System.exe C:\Windows\System32\WScript.exe
PID 4588 wrote to memory of 916 N/A C:\Windows\ShellComponents\System.exe C:\Windows\System32\WScript.exe
PID 4588 wrote to memory of 916 N/A C:\Windows\ShellComponents\System.exe C:\Windows\System32\WScript.exe
PID 4676 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe
PID 4676 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe
PID 4676 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe
PID 4676 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe
PID 4676 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe
PID 4676 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe
PID 4676 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe
PID 1276 wrote to memory of 2972 N/A C:\Windows\System32\WScript.exe C:\Windows\ShellComponents\System.exe
PID 1276 wrote to memory of 2972 N/A C:\Windows\System32\WScript.exe C:\Windows\ShellComponents\System.exe
PID 2972 wrote to memory of 2548 N/A C:\Windows\ShellComponents\System.exe C:\Windows\System32\WScript.exe
PID 2972 wrote to memory of 2548 N/A C:\Windows\ShellComponents\System.exe C:\Windows\System32\WScript.exe
PID 2972 wrote to memory of 2664 N/A C:\Windows\ShellComponents\System.exe C:\Windows\System32\WScript.exe
PID 2972 wrote to memory of 2664 N/A C:\Windows\ShellComponents\System.exe C:\Windows\System32\WScript.exe
PID 2972 wrote to memory of 2488 N/A C:\Windows\ShellComponents\System.exe C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe
PID 2972 wrote to memory of 2488 N/A C:\Windows\ShellComponents\System.exe C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe
PID 2972 wrote to memory of 2488 N/A C:\Windows\ShellComponents\System.exe C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe
PID 2488 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe
PID 2488 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe
PID 2488 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe
PID 2488 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ShellComponents\System.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe

"C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N3" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N3" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellComponents\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ShellComponents\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N3" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\host\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N3" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\host\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\ShellComponents\System.exe

"C:\Windows\ShellComponents\System.exe"

C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\011faf4b-92bc-408e-8ff3-a6662252933f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36cc0112-55e4-46d9-ba63-fd600f2a09f6.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDD7F.tmp.exe"

C:\Windows\ShellComponents\System.exe

C:\Windows\ShellComponents\System.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\695a3016-764d-4e87-88ba-678815289079.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0474aac5-1391-49a6-bf41-fc6141f65dbd.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFFBD.tmp.exe"

C:\Windows\ShellComponents\System.exe

C:\Windows\ShellComponents\System.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2737e3f-cf74-4f49-a216-9d8bdecc1e61.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1759f6e1-e63e-430d-803e-4bfa0fe60eee.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp31B9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp31B9.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp31B9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp31B9.tmp.exe"

C:\Windows\ShellComponents\System.exe

C:\Windows\ShellComponents\System.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9187353-48cb-4f9e-961b-9e1b24b4c8b8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34e58ed6-6180-4bc9-834e-9c28ab0fb3a8.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp4F54.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4F54.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp4F54.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4F54.tmp.exe"

C:\Windows\ShellComponents\System.exe

C:\Windows\ShellComponents\System.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e42fcf3-1e77-4909-88ea-d922ac1d9170.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33c59537-747e-4436-af89-f52e3ae781c6.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp6CBF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6CBF.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp6CBF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6CBF.tmp.exe"

C:\Windows\ShellComponents\System.exe

C:\Windows\ShellComponents\System.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34b4d0a7-36d2-4e06-971c-feb86bf86318.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c24633a6-ab1f-4c9e-b20f-e80141f311e8.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA19A.tmp.exe"

C:\Windows\ShellComponents\System.exe

C:\Windows\ShellComponents\System.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6aa23287-bd31-41bb-8968-67d266dab9a6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ddba66d-a107-4861-8aee-a6582f086acd.vbs"

C:\Windows\ShellComponents\System.exe

C:\Windows\ShellComponents\System.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48c51488-76ac-454a-a96c-b8b8be10d72a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39f6df77-ffb1-4573-8052-da3114c87203.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpF354.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF354.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpF354.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF354.tmp.exe"

C:\Windows\ShellComponents\System.exe

C:\Windows\ShellComponents\System.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f88d1a3-482b-4e43-ae31-a0f70e017d19.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6109454f-e509-4949-a520-bd992b863915.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp26F7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp26F7.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp26F7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp26F7.tmp.exe"

C:\Windows\ShellComponents\System.exe

C:\Windows\ShellComponents\System.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1a614be-0ca2-43c8-a5b3-ab75507dbe18.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f5753c7-ba0b-4c18-9f99-9e76e617b69a.vbs"

C:\Windows\ShellComponents\System.exe

C:\Windows\ShellComponents\System.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b45c1d1-357a-4b4d-b504-59506b6df828.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0494594c-5458-4f61-b823-770db0a117d7.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp742C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp742C.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp742C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp742C.tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 200.186.67.172.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/2848-0-0x00007FFA89BB3000-0x00007FFA89BB5000-memory.dmp

memory/2848-1-0x0000000000D60000-0x0000000001254000-memory.dmp

memory/2848-2-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

memory/2848-3-0x000000001C000000-0x000000001C12E000-memory.dmp

memory/2848-4-0x0000000003470000-0x000000000348C000-memory.dmp

memory/2848-7-0x00000000034A0000-0x00000000034B0000-memory.dmp

memory/2848-6-0x0000000003300000-0x0000000003308000-memory.dmp

memory/2848-5-0x000000001C780000-0x000000001C7D0000-memory.dmp

memory/2848-8-0x000000001C730000-0x000000001C746000-memory.dmp

memory/2848-9-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/2848-10-0x000000001BFE0000-0x000000001BFEA000-memory.dmp

memory/2848-11-0x000000001C750000-0x000000001C762000-memory.dmp

memory/2848-14-0x000000001C770000-0x000000001C77E000-memory.dmp

memory/2848-13-0x000000001C760000-0x000000001C76A000-memory.dmp

memory/2848-15-0x000000001C7D0000-0x000000001C7DE000-memory.dmp

memory/2848-12-0x000000001CD00000-0x000000001D228000-memory.dmp

memory/2848-18-0x000000001C900000-0x000000001C90C000-memory.dmp

memory/2848-17-0x000000001C7F0000-0x000000001C7F8000-memory.dmp

memory/2848-16-0x000000001C7E0000-0x000000001C7E8000-memory.dmp

C:\Windows\Migration\WTR\taskhostw.exe

MD5 4f2a2b2ffa4db5771f5e9f6927ee7390
SHA1 dbcc615437c6925f3e18010854607e66c3e5bce3
SHA256 31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2
SHA512 51493c4ef3de3a62f6b630f24daf609d509a23cc1f663311496794a49e932fab57c0196f88688ddcd939028eead0bf46b2979bf5042c1ab5de3a0605a67c2f8e

C:\Users\Admin\AppData\Local\Temp\tmpB4CC.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/1128-72-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Recovery\WindowsRE\sihost.exe

MD5 4f2820048bf0e013adc67493d3bd1c21
SHA1 402e2d40a155542ea2b8bdfb7961ed69a3ddc73b
SHA256 fe10468c1ef634ebbea2828127ff0e311aa1fe571da57d9632064547ac598921
SHA512 b299e28ded1792ce5da7f82a265d801ee686ade6f3d5928ddaf743c0cdbb24105eb5afe551ac8d794fd7db431d9782666acf3de93531dcb7de1b1b51e8b8fc27

memory/2848-137-0x00007FFA89BB3000-0x00007FFA89BB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gjq321nh.zfr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4512-193-0x000001BB62A40000-0x000001BB62A62000-memory.dmp

memory/2848-287-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

memory/2848-299-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Temp\011faf4b-92bc-408e-8ff3-a6662252933f.vbs

MD5 d6ab849b9dc9b6ce06d427d7bb1ae437
SHA1 0755a63ea10c0eef3af2f737c1343584ca758577
SHA256 4e44c94a366df8ed98c9f577969515573184165b7e8fb5f0b6f4b2dad060db38
SHA512 990556f22f049d1235ac78a2701167c44247b789d6cc3d8f154e6d336220170367becf2d1744dbeca35cff80b2d69d1f463f54f77f72adf077de8cad35ff2776

C:\Users\Admin\AppData\Local\Temp\36cc0112-55e4-46d9-ba63-fd600f2a09f6.vbs

MD5 1ab2e04e92b45a1a3d61d48079e5100a
SHA1 ce0e9e6f3eec3d2ac623995d623e2d0a69cacda2
SHA256 4d860cd2490ee5e659312804a1786f097d0956360a2b43f22976b9d96cdb8a33
SHA512 8cdcce31afc317291e3b378f1c4ac9cdf7a8fa20cddc49f9e418e8d7ff3387874b5fc0863adae4251e98c330ffbeeef7b36cef6a79bdcd9b8e70e4d1568044c2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\695a3016-764d-4e87-88ba-678815289079.vbs

MD5 9029524f981d553ab60d11a98273af49
SHA1 7085869dddb1d8483e07c7a4d91896855083fbac
SHA256 bd1b09c4644430a24a62a09a6f30fc74368e2ed7c70f22a5ce31a94f6cfe3305
SHA512 c6f8cf350371e7a12aaeda8fe89be0fb73e26e5852512a62947df55c2b147e2dc1fd2e9d4952110e2cfb1e8e94cfeba798573dd2549f713848a53e99bce7b2a3

C:\Users\Admin\AppData\Local\Temp\d2737e3f-cf74-4f49-a216-9d8bdecc1e61.vbs

MD5 e87233ea1747c535704d54931960d526
SHA1 5c24cee86fb2e2f324434db3cfc7124f4a288825
SHA256 c97bcc6a4489b134a69720e62dc16764faae73130264190deefe29c1f03c3920
SHA512 904e7cf25e3a2e1a93007dd8111ebcd9b7a1db395be3ca10ce4e07852af04236d9fec56a512288af8a644647b718f41c0ad7e72fdeb861e57cdb03f3034a4d0d

C:\Users\Admin\AppData\Local\Temp\d9187353-48cb-4f9e-961b-9e1b24b4c8b8.vbs

MD5 d51da823720b61b937f67c43680a22ba
SHA1 65114a5ad9362b59209b7c94bd3735bb8447564b
SHA256 fa466c7d67c88799d1193f7cdf1c017cd451a780fc31a86354500c72f8dd64fc
SHA512 874ce8f956fca27b8e8801020e0db5083969557d3399488ebfb491a162d3aad329e467a049be31e8d21ae61722462f62999ecc13bff461147a4ade48deaeb154

C:\Users\Admin\AppData\Local\Temp\8e42fcf3-1e77-4909-88ea-d922ac1d9170.vbs

MD5 7e2c6212b84313690af10c690ed892f7
SHA1 40c8c3235f61e2e6ff33a65c3312e76c4582424d
SHA256 d65604abfa69ce00d1f00626c238fb1e46ae5b142fea459a854252cf135932fa
SHA512 bc064488f1f458829db04c9e9f121b6165f46b50e2fef369e15303a66940c4bb1aa8ba50e6601b392a45e2df58d8e9dea33edd97f4444a36b2cc4bf87306d779

C:\Users\Admin\AppData\Local\Temp\34b4d0a7-36d2-4e06-971c-feb86bf86318.vbs

MD5 44be681e5f2fa1a201d99824a59b263c
SHA1 f37e4378e86c3d5276d5f83df6647d275ce15c79
SHA256 42ac34a0bf9ea3b4e2e6666a1393c48ea200ad4c51b775883131c8f38b042206
SHA512 4a82cf7b5aad84cac7836224f356a16e742291b1a5e93d6860f35f1feeaf5a98f24cafba743cafbe2bc3d23b36f5a6eb6baeb00da9ea4f317f22a20fa4aebac5

C:\Users\Admin\AppData\Local\Temp\6aa23287-bd31-41bb-8968-67d266dab9a6.vbs

MD5 a96c798de18f80e4903913da18900624
SHA1 761a15477c4b05f2e89a835f81d88596fd9489f4
SHA256 95153f9103cd7e7b3699b6ab11502daa7d98c6775e9dbd8df3192bd269d2befd
SHA512 121137af120416fd134132030b8b894dab45c65db15d4495861b6d2a94619ed4b8190d802f9ee5b0d706b2c433cf7fdc4cd0e9ea3d1aa5a2dcb00c3160f0a455

memory/3444-513-0x000000001BC20000-0x000000001BC32000-memory.dmp