Malware Analysis Report

2024-11-13 16:52

Sample ID 241109-cpejnatqgw
Target 82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N
SHA256 82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2
Tags
colibri dcrat build1 discovery evasion execution infostealer loader rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2

Threat Level: Known bad

The file 82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N was found to be: Known bad.

Malicious Activity Summary

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

DcRat

Colibri family

Colibri Loader

UAC bypass

Process spawned unexpected child process

Dcrat family

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

System policy modification

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 02:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 02:14

Reported

2024-11-09 02:16

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe"

Signatures

Colibri Loader

loader colibri

Colibri family

colibri

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Multimedia Platform\wininit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA3BD.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA3BD.tmp.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD443.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD443.tmp.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpEDB.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpEDB.tmp.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp41C2.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp41C2.tmp.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Multimedia Platform\wininit.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Defender\System.exe C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\RCXDE15.tmp C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File created C:\Program Files\Windows Multimedia Platform\wininit.exe C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\RCXE4BF.tmp C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File created C:\Program Files (x86)\Windows NT\wininit.exe C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\wininit.exe C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCXEB4A.tmp C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\e9a5a9c93980df C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File created C:\Program Files (x86)\Windows Defender\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File created C:\Program Files (x86)\Windows NT\56085415360792 C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\dwm.exe C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File created C:\Program Files\Windows Multimedia Platform\56085415360792 C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RCXCDA1.tmp C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File created C:\Program Files (x86)\Windows Defender\System.exe C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RCXE8C8.tmp C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\dwm.exe C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\wininit.exe C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\RCXD5E4.tmp C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File created C:\Windows\Tasks\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File opened for modification C:\Windows\Tasks\RCXEFCF.tmp C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
File opened for modification C:\Windows\Tasks\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA3BD.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD443.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpEDB.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp728B.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp41C2.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Windows Multimedia Platform\wininit.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Multimedia Platform\wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe
PID 4892 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe
PID 4892 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe
PID 2072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe
PID 2072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe
PID 2072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe
PID 2072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe
PID 2072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe
PID 2072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe
PID 2072 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe
PID 4892 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Program Files\Windows Multimedia Platform\wininit.exe
PID 4892 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Program Files\Windows Multimedia Platform\wininit.exe
PID 4200 wrote to memory of 2192 N/A C:\Program Files\Windows Multimedia Platform\wininit.exe C:\Windows\System32\WScript.exe
PID 4200 wrote to memory of 2192 N/A C:\Program Files\Windows Multimedia Platform\wininit.exe C:\Windows\System32\WScript.exe
PID 4200 wrote to memory of 1676 N/A C:\Program Files\Windows Multimedia Platform\wininit.exe C:\Windows\System32\WScript.exe
PID 4200 wrote to memory of 1676 N/A C:\Program Files\Windows Multimedia Platform\wininit.exe C:\Windows\System32\WScript.exe
PID 4200 wrote to memory of 2292 N/A C:\Program Files\Windows Multimedia Platform\wininit.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 4200 wrote to memory of 2292 N/A C:\Program Files\Windows Multimedia Platform\wininit.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 4200 wrote to memory of 2292 N/A C:\Program Files\Windows Multimedia Platform\wininit.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 2292 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 2292 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 2292 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 3932 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 3932 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 3932 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 3256 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 3256 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 3256 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 3256 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 3256 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 3256 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 3256 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
PID 2192 wrote to memory of 2452 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Multimedia Platform\wininit.exe
PID 2192 wrote to memory of 2452 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Multimedia Platform\wininit.exe
PID 2452 wrote to memory of 1388 N/A C:\Program Files\Windows Multimedia Platform\wininit.exe C:\Windows\System32\WScript.exe
PID 2452 wrote to memory of 1388 N/A C:\Program Files\Windows Multimedia Platform\wininit.exe C:\Windows\System32\WScript.exe
PID 2452 wrote to memory of 3920 N/A C:\Program Files\Windows Multimedia Platform\wininit.exe C:\Windows\System32\WScript.exe
PID 2452 wrote to memory of 3920 N/A C:\Program Files\Windows Multimedia Platform\wininit.exe C:\Windows\System32\WScript.exe
PID 1388 wrote to memory of 1956 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Multimedia Platform\wininit.exe
PID 1388 wrote to memory of 1956 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Multimedia Platform\wininit.exe
PID 1956 wrote to memory of 3156 N/A C:\Program Files\Windows Multimedia Platform\wininit.exe C:\Windows\System32\WScript.exe
PID 1956 wrote to memory of 3156 N/A C:\Program Files\Windows Multimedia Platform\wininit.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Multimedia Platform\wininit.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe

"C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N8" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N8" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\SendTo\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Tasks\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\TextInputHost.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Program Files\Windows Multimedia Platform\wininit.exe

"C:\Program Files\Windows Multimedia Platform\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0f1e146-5c91-4abc-bd17-976b7e9f2423.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e43bb37-603e-4f60-9a67-9bd2fd4f2890.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe"

C:\Program Files\Windows Multimedia Platform\wininit.exe

"C:\Program Files\Windows Multimedia Platform\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df1c21d9-653a-4ba3-9279-1c359d6c08d5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4c0b5db-2262-46e4-8429-0ed4284ee486.vbs"

C:\Program Files\Windows Multimedia Platform\wininit.exe

"C:\Program Files\Windows Multimedia Platform\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\101d9c29-064c-4942-8656-94a3004aab6e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b4e7561-0c9d-457a-a18e-e8b11890abf0.vbs"

C:\Program Files\Windows Multimedia Platform\wininit.exe

"C:\Program Files\Windows Multimedia Platform\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c50de5a4-8088-4629-8314-9dc91aca105e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4df113b0-9ccd-425f-a56f-c564a8bd3177.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp728B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp728B.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp728B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp728B.tmp.exe"

C:\Program Files\Windows Multimedia Platform\wininit.exe

"C:\Program Files\Windows Multimedia Platform\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6660495e-904b-45e5-9906-bc58952b5caf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7c36138-ef3f-4e6b-bfc9-971bfd41d9d7.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpA3BD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA3BD.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpA3BD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA3BD.tmp.exe"

C:\Program Files\Windows Multimedia Platform\wininit.exe

"C:\Program Files\Windows Multimedia Platform\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57832c1f-2269-45a0-a446-7ba6f6a652ab.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f167d7fd-d274-4c89-b19f-2f32be848bd2.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpD443.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD443.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD443.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD443.tmp.exe"

C:\Program Files\Windows Multimedia Platform\wininit.exe

"C:\Program Files\Windows Multimedia Platform\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\072fd804-d248-4a11-92f3-fdcd24659c50.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42b88306-7a54-4114-a8bf-ca79e32acf99.vbs"

C:\Program Files\Windows Multimedia Platform\wininit.exe

"C:\Program Files\Windows Multimedia Platform\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30a8b645-fdc2-47d8-8877-4132fb7031f7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d59f5faa-6ea0-4c1d-b2cc-5d972581228e.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpEDB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpEDB.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpEDB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpEDB.tmp.exe"

C:\Program Files\Windows Multimedia Platform\wininit.exe

"C:\Program Files\Windows Multimedia Platform\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ed1ced3-09c7-470a-b4ed-c06051d9b2a5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9859ccad-3769-4981-be74-7316d4b86cb6.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp41C2.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp41C2.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp41C2.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp41C2.tmp.exe"

C:\Program Files\Windows Multimedia Platform\wininit.exe

"C:\Program Files\Windows Multimedia Platform\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06ffd7fa-8e33-411b-91f6-f42a99025205.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb737a06-760c-4c13-808a-950a2f2455bc.vbs"

C:\Program Files\Windows Multimedia Platform\wininit.exe

"C:\Program Files\Windows Multimedia Platform\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2189fc04-152d-489b-91ab-41a8c92ba412.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c7ca6a7-dc68-481a-ad9a-029b621a2314.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 8.2.21.104.in-addr.arpa udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp

Files

memory/4892-0-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

memory/4892-1-0x0000000000E40000-0x0000000001334000-memory.dmp

memory/4892-2-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

memory/4892-3-0x000000001C2D0000-0x000000001C3FE000-memory.dmp

memory/4892-4-0x0000000003470000-0x000000000348C000-memory.dmp

memory/4892-7-0x00000000034B0000-0x00000000034C0000-memory.dmp

memory/4892-9-0x00000000035F0000-0x0000000003600000-memory.dmp

memory/4892-8-0x00000000035D0000-0x00000000035E6000-memory.dmp

memory/4892-10-0x0000000003600000-0x000000000360A000-memory.dmp

memory/4892-6-0x0000000003490000-0x0000000003498000-memory.dmp

memory/4892-5-0x0000000003620000-0x0000000003670000-memory.dmp

memory/4892-11-0x0000000003610000-0x0000000003622000-memory.dmp

memory/4892-12-0x000000001CE30000-0x000000001D358000-memory.dmp

memory/4892-14-0x0000000003680000-0x000000000368E000-memory.dmp

memory/4892-13-0x0000000003670000-0x000000000367A000-memory.dmp

memory/4892-15-0x0000000003690000-0x000000000369E000-memory.dmp

memory/4892-16-0x00000000036A0000-0x00000000036A8000-memory.dmp

memory/4892-17-0x00000000036B0000-0x00000000036B8000-memory.dmp

memory/4892-18-0x000000001C2A0000-0x000000001C2AC000-memory.dmp

C:\Program Files (x86)\Windows Defender\System.exe

MD5 fa1e134ed3a3784a211e9fb679ef7e60
SHA1 586b4fd3f2e1163968ea56d61f349494b45fd633
SHA256 82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2
SHA512 a6131eaa1c25a9650b5b578aefb9a05f9c5b345fcf8a352fb309f28072db09c41f63b99064225cd491c6c064846b970c99ef8e9ac815181b8d4f4e691b3d6379

C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/3592-79-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4892-152-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

memory/4892-165-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

C:\Program Files\Windows Multimedia Platform\wininit.exe

MD5 7e763cd15fa3fd45fdaf72366a80dc2d
SHA1 310c8c3e95ae75a4d53d78f9538070cadac8995c
SHA256 e31f3d242dbadc82b3eec64999f85d2aeadf652f4f6fc0448b410b1b1d583111
SHA512 bf683fe01b86e786d3ae85e5e2cdb60b4fbd7c1620842807aa7bd82fa7e01c6d492f8d482badb885842c85d2276264d2477d742e5a280d67ee37431f4e81d79f

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_55doijbe.wjc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4752-233-0x00000298376C0000-0x00000298376E2000-memory.dmp

memory/4200-335-0x0000000000890000-0x0000000000D84000-memory.dmp

memory/4892-336-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

memory/4200-337-0x000000001BB30000-0x000000001BB42000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Temp\f0f1e146-5c91-4abc-bd17-976b7e9f2423.vbs

MD5 625da9d9e8061a87cdbda370bba7aa96
SHA1 278c0d38f1c44643e6080a9b377df776b9825335
SHA256 442db053872b9b53665e096226422cf31a6fff16bd07277410dd3ce5824fa0fb
SHA512 1bb697badf318798d8b2bdbdffd4fd48e24a1697da21d0371a6434c7ba1799b8e27925c3fc8b50e7998edf44814165b81024e698f6d1755c4c3e24c2eef11da4

C:\Users\Admin\AppData\Local\Temp\0e43bb37-603e-4f60-9a67-9bd2fd4f2890.vbs

MD5 b4062591a89178763eb6e37b3a1e1f55
SHA1 9a6ca3eeda1fb4f1a8436e8948b19b04979e8e44
SHA256 065a643aaf88487e6c8c35ca47bceb29b86571f305e7c53dcae38c462147272f
SHA512 e5ea16580080318e1684e2153c98c8f2735b13f3f32d1cb3a547ecf631cca5934fd75e346b00d768f0c9cbda22c3a8d51824b1283bc5d0a66958c6322bcc748d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

memory/2452-391-0x000000001B400000-0x000000001B412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\df1c21d9-653a-4ba3-9279-1c359d6c08d5.vbs

MD5 bd845fc9b0117b271f5917017061e211
SHA1 7b6e78e2cd84537c5a9ca45c6c63b76b9935798f
SHA256 1d2c91efc34ea988fe7aca565ebe35086811b6614241b4689d9d47b7296ad0c6
SHA512 7d89ea961a7f8d45f86efffea2ded18edd09fb61eebd32e77d5d540dbc2019ca72e13e2849a8d830cda13ce0c12dba82e044fed3e053a4880f8ae99b072ca9ad

memory/1956-405-0x000000001BD20000-0x000000001BD32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\101d9c29-064c-4942-8656-94a3004aab6e.vbs

MD5 c262f2c1d464d7cf005398ef09f9b84f
SHA1 e114f66a7163d0b4804f8835faef307154e88304
SHA256 96500f9880cab530862cf1ead89e32f40610fd8e8a8fad27873a44a591933a99
SHA512 c9a90872ace47bddf0a590664fdc3549d933348e3956e6ee25769dfcab6d471586c0098eb5b819df6f366d9f4f888d7f6986d0b1cd5ad3e8d0a6dce6636c9d45

C:\Users\Admin\AppData\Local\Temp\6660495e-904b-45e5-9906-bc58952b5caf.vbs

MD5 1cf5adf02ff6d1e85cca00b362f6bfec
SHA1 6e8ea12956a49a9f418a7afa8a47ee0d37d297e5
SHA256 cab1550e7227f7a2c933aa5498648ee5d43cc0655426de62528ab461c65ed433
SHA512 a89361e3a40ee2979b517f0e1cf6c534198d2389dc8a30c165f5647ae6ec8d32dda27937c6b89fb11f3ed72d7153c7f4acba7322de9994dcec44086580324007

C:\Users\Admin\AppData\Local\Temp\57832c1f-2269-45a0-a446-7ba6f6a652ab.vbs

MD5 330f1251c96ae803c3ebc245d38767bc
SHA1 e8082840f67474b4efef0cb6d0210d8838664f95
SHA256 816d8a45b02b228e6dfc0545be1b831b4c2f1d66d0583347dc370fac51cef1fc
SHA512 90b2f3c88baeb1249c26ca56761c2d0eba0dce3043267c3380cbb980cc6eab449c20147305eaa36d6518d67104d2cfec63ca5de41bfcf5557fcc567a8b44c065

C:\Users\Admin\AppData\Local\Temp\072fd804-d248-4a11-92f3-fdcd24659c50.vbs

MD5 f0fa8c23420ca9ee3ea915963399c022
SHA1 183413df19a6c856b98eb1555c41afb363b98398
SHA256 dadebf88a6ea9089e0d801d1efb0a3eefaf09697c9c94d4091d1191e208c325a
SHA512 a22cbd9cdacd46e44c4c4367b314618a9405ec8ed36c551f2e5d3c82d6942b211f5f42132ad86182e1af8c724b95eefebcd0877e02fcd4308d0e7dfc2a1ec540

C:\Users\Admin\AppData\Local\Temp\30a8b645-fdc2-47d8-8877-4132fb7031f7.vbs

MD5 ff5caa602a83ee60437fa9d8aa21163d
SHA1 2a2d52a143752485dbcb44dd04683123e4a26e98
SHA256 68a5944d05015de07bfa7c3e1796efdf553c63e08afc2297e8ba0c3695f971a3
SHA512 0bb9f12d5a064e34ea35a4307e59eba6e48ec607ff63ec8594979bd6ba370c15d0e574bcd79e2226a4e1b189bdace40d68ebed72cfd3cb409d297a0d581ac91b

C:\Users\Admin\AppData\Local\Temp\0ed1ced3-09c7-470a-b4ed-c06051d9b2a5.vbs

MD5 f4bac639d585b8a86e063aa059cd6b7e
SHA1 473fe70088202bbce3379c2730f15cd9c26147fe
SHA256 4365e384a9c1ebcab1ccb6af8545aba76dcf6d4c592903ac65e8b5ad102b1dbd
SHA512 eefcbca77dd1d8d03d0550e8d75603280c8d454f349c6b6aea418ec3bb03849330bbb272e201b8ded4901d1eb7926435a19c7b54f2cc4c56a9866eed6c67764f

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 02:14

Reported

2024-11-09 02:16

Platform

win7-20240903-en

Max time kernel

119s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Downloads\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Downloads\wininit.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\Downloads\wininit.exe N/A
N/A N/A C:\Users\Public\Downloads\wininit.exe N/A
N/A N/A C:\Users\Public\Downloads\wininit.exe N/A
N/A N/A C:\Users\Public\Downloads\wininit.exe N/A
N/A N/A C:\Users\Public\Downloads\wininit.exe N/A
N/A N/A C:\Users\Public\Downloads\wininit.exe N/A
N/A N/A C:\Users\Public\Downloads\wininit.exe N/A
N/A N/A C:\Users\Public\Downloads\wininit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Downloads\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Downloads\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Downloads\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Downloads\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Downloads\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Downloads\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Downloads\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Downloads\wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\cmd.exe
PID 2856 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\cmd.exe
PID 2856 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe C:\Windows\System32\cmd.exe
PID 2224 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2224 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2224 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2224 wrote to memory of 1036 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Downloads\wininit.exe
PID 2224 wrote to memory of 1036 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Downloads\wininit.exe
PID 2224 wrote to memory of 1036 N/A C:\Windows\System32\cmd.exe C:\Users\Public\Downloads\wininit.exe
PID 1036 wrote to memory of 2704 N/A C:\Users\Public\Downloads\wininit.exe C:\Windows\System32\WScript.exe
PID 1036 wrote to memory of 2704 N/A C:\Users\Public\Downloads\wininit.exe C:\Windows\System32\WScript.exe
PID 1036 wrote to memory of 2704 N/A C:\Users\Public\Downloads\wininit.exe C:\Windows\System32\WScript.exe
PID 1036 wrote to memory of 568 N/A C:\Users\Public\Downloads\wininit.exe C:\Windows\System32\WScript.exe
PID 1036 wrote to memory of 568 N/A C:\Users\Public\Downloads\wininit.exe C:\Windows\System32\WScript.exe
PID 1036 wrote to memory of 568 N/A C:\Users\Public\Downloads\wininit.exe C:\Windows\System32\WScript.exe
PID 2704 wrote to memory of 2188 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Downloads\wininit.exe
PID 2704 wrote to memory of 2188 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Downloads\wininit.exe
PID 2704 wrote to memory of 2188 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Downloads\wininit.exe
PID 2188 wrote to memory of 1948 N/A C:\Users\Public\Downloads\wininit.exe C:\Windows\System32\WScript.exe
PID 2188 wrote to memory of 1948 N/A C:\Users\Public\Downloads\wininit.exe C:\Windows\System32\WScript.exe
PID 2188 wrote to memory of 1948 N/A C:\Users\Public\Downloads\wininit.exe C:\Windows\System32\WScript.exe
PID 2188 wrote to memory of 2080 N/A C:\Users\Public\Downloads\wininit.exe C:\Windows\System32\WScript.exe
PID 2188 wrote to memory of 2080 N/A C:\Users\Public\Downloads\wininit.exe C:\Windows\System32\WScript.exe
PID 2188 wrote to memory of 2080 N/A C:\Users\Public\Downloads\wininit.exe C:\Windows\System32\WScript.exe
PID 1948 wrote to memory of 868 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Downloads\wininit.exe
PID 1948 wrote to memory of 868 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Downloads\wininit.exe
PID 1948 wrote to memory of 868 N/A C:\Windows\System32\WScript.exe C:\Users\Public\Downloads\wininit.exe
PID 868 wrote to memory of 2508 N/A C:\Users\Public\Downloads\wininit.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Downloads\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Downloads\wininit.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe

"C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9MOUOnUXi1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Downloads\wininit.exe

"C:\Users\Public\Downloads\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c44ddfab-cbb8-4928-a85d-74277d825cf0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d8132a5-f6eb-4586-a0c7-45e4e3ce5b9b.vbs"

C:\Users\Public\Downloads\wininit.exe

C:\Users\Public\Downloads\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72bde2f8-80a4-46ef-bf30-2719385cd00c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62585533-e288-4243-a6a8-989017c98cf8.vbs"

C:\Users\Public\Downloads\wininit.exe

C:\Users\Public\Downloads\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0f4a276-7d45-4460-adb0-6fd1bd5b59aa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7755b998-a578-457c-83db-505db6876e68.vbs"

C:\Users\Public\Downloads\wininit.exe

C:\Users\Public\Downloads\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e85a21d-7f3b-4752-9bff-0639079d9e26.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6925bda-ab03-441a-9952-dd7f9c4c4055.vbs"

C:\Users\Public\Downloads\wininit.exe

C:\Users\Public\Downloads\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08e15ae4-b0bd-46ab-8ea8-ee5c2ea8b004.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb1c7289-ae72-42bf-924f-b0fbbe902337.vbs"

C:\Users\Public\Downloads\wininit.exe

C:\Users\Public\Downloads\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3516bcf-712d-481b-aec4-ededab338546.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19f2100c-547f-40fc-88f5-7c03fad0f748.vbs"

C:\Users\Public\Downloads\wininit.exe

C:\Users\Public\Downloads\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\902d21a0-4bd1-45aa-956a-d6ca506ecebc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cfc167f-d97a-453a-8a40-168e06af244a.vbs"

C:\Users\Public\Downloads\wininit.exe

C:\Users\Public\Downloads\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2945643-272c-48a6-b009-b7813a405172.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\278e6a4d-5669-4f65-885d-0090a5419770.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/2856-0-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp

memory/2856-1-0x0000000000850000-0x0000000000D44000-memory.dmp

memory/2856-2-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

memory/2856-3-0x000000001B3C0000-0x000000001B4EE000-memory.dmp

memory/2856-4-0x0000000000390000-0x00000000003AC000-memory.dmp

memory/2856-5-0x00000000003B0000-0x00000000003B8000-memory.dmp

memory/2856-6-0x00000000003C0000-0x00000000003D0000-memory.dmp

memory/2856-7-0x00000000003D0000-0x00000000003E6000-memory.dmp

memory/2856-8-0x0000000000570000-0x0000000000580000-memory.dmp

memory/2856-9-0x0000000000580000-0x000000000058A000-memory.dmp

memory/2856-10-0x0000000000590000-0x00000000005A2000-memory.dmp

memory/2856-11-0x00000000005A0000-0x00000000005AA000-memory.dmp

memory/2856-12-0x0000000000630000-0x000000000063E000-memory.dmp

memory/2856-13-0x0000000000640000-0x000000000064E000-memory.dmp

memory/2856-14-0x0000000000830000-0x0000000000838000-memory.dmp

memory/2856-15-0x0000000002450000-0x0000000002458000-memory.dmp

memory/2856-16-0x0000000002460000-0x000000000246C000-memory.dmp

C:\MSOCache\All Users\spoolsv.exe

MD5 fa1e134ed3a3784a211e9fb679ef7e60
SHA1 586b4fd3f2e1163968ea56d61f349494b45fd633
SHA256 82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2
SHA512 a6131eaa1c25a9650b5b578aefb9a05f9c5b345fcf8a352fb309f28072db09c41f63b99064225cd491c6c064846b970c99ef8e9ac815181b8d4f4e691b3d6379

memory/2232-43-0x0000000002230000-0x0000000002238000-memory.dmp

memory/2232-42-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 84ecf43d7589e726a56ec354301a67f3
SHA1 8999aedc8012c3f8272f11584b4699af61e8fe7a
SHA256 f45e060df1849b1011ea452ecebb1b1a808b312a962421f644ad152225a91503
SHA512 f2c953d0fde98643b35f16aee3701762ab25068a1ae21b7a93d4c169d4f129cccf10bc2e88a82ddea8244231facb89dc9ecb6de042f4376b36695a2bfceb79f7

memory/2856-97-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\9MOUOnUXi1.bat

MD5 b23eaf486b5a1279cb2b969df0b3eeff
SHA1 7c7a64eb7438ba1f743e5abaeab322299b7ab7af
SHA256 592a0466744915f7d2ef37d225eee289e3c10a20eacc0cc00c9af254afb1045e
SHA512 a624d018119b56ddcdfd62012e78486b9f80fcda202a45c874339fe0bc9e597549b06ccb4f9d1720cd140163555599f91cddebc3be542c64c88192e4973ff6f9

C:\Users\Public\Downloads\wininit.exe

MD5 898dd580b6ac0ddccd660391b0ee3ac9
SHA1 19bc7d5c19b3693e68a7f743bca5b2a869283a4c
SHA256 1fc1d7560d37f79f96a2b798bcd7ba995fcbc7157b44d0c9d88b325dcdd1751d
SHA512 32b6c74feeb5b2ae7b0fd604c40c6a904c7422762c80d520c794d7aaf54ad34bb537e4357bd7bd8e93a361770263dc6fbbd53a9b129048acc682a347b3dceef2

memory/1036-106-0x00000000008C0000-0x0000000000DB4000-memory.dmp

memory/1036-107-0x00000000008B0000-0x00000000008C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c44ddfab-cbb8-4928-a85d-74277d825cf0.vbs

MD5 01ef5f667613d41268966c2a4b9df85a
SHA1 ecf245eb167c82c413259a53ea4c3f6b1e6ea2f8
SHA256 5358366c2a49e5f5b5a42352652aebdce05d6bf51f620a815a8a9f02ee53a8b8
SHA512 ab33617ba7e683891be8f4277ea42007e20d77e161c310c48bcb42ccf0d7e861354ba5423e78ce271f0a394d76843034b0e69843e2e1c06e842b9ee81af8e3cb

C:\Users\Admin\AppData\Local\Temp\8d8132a5-f6eb-4586-a0c7-45e4e3ce5b9b.vbs

MD5 cfda879344c65f6e6691ded97142301d
SHA1 91bc8b3e876a5e722c53578ca20cc212856dddd5
SHA256 d5fbe0bbbd8a5ea8e7fcd115dfdc402b1d2805a2fdfa4de4046718448410de89
SHA512 7ed69c3d2d38c30a56f912be2c2fac97d3e2fb39a95f677aae30027fc049ff1c1ea3cc119ac973fef3c414a66d4f61ffb4cdec902f36146f6299c7c0e19e7f6d

memory/2188-121-0x0000000000A40000-0x0000000000F34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\72bde2f8-80a4-46ef-bf30-2719385cd00c.vbs

MD5 ea967b4e9bedc2aa6b3b5a019dc4563b
SHA1 05f85ba679d879cc0ba1d06bd0bae9945a65d914
SHA256 d551b1bf65621cb56f7f58ad34ff29a80833e62509af68a62ccb597d75ae2272
SHA512 eaec5ce1be51ac5cd54f90d83fcfef1af4d99c83cc715c95768f7657d904634162c115eb51e319f998f6cf250807479051fd2e80484471f7935d705b220854d8

C:\Users\Admin\AppData\Local\Temp\tmpD059.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/868-136-0x0000000000070000-0x0000000000564000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0f4a276-7d45-4460-adb0-6fd1bd5b59aa.vbs

MD5 5d58de6743e453acf1e192e9f10698be
SHA1 7d728d4307e30f4e615f046e4b438c0b7cf9b6c5
SHA256 5ffa8caeef54296d5ae57d1ce1839efa38a8e63b14659a0b4f8d46e8a2900774
SHA512 0069db852923d4e284ac738cce52f114e5a0b2924668cf8089c495b29c5cb89398c7a5bc90c1c3acf2e874e961570f8e4e606986124edd782b25dc1e00018995

memory/1292-151-0x0000000000F60000-0x0000000001454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5e85a21d-7f3b-4752-9bff-0639079d9e26.vbs

MD5 ad351ab15daa113be16315df8990d26a
SHA1 c7f11ddc52fabaee3c0afec19e13297663e267a9
SHA256 16b387111ff73c53cdd71be66654753d942934c86fd3565a5afd0dba1234c3de
SHA512 3ec2a794aac0815686d99e1d23b3abbf4379ae61b254d3b7e96aec8dc4d2ecf8eaaaf8252c21db275c240416535d48df519e54116fbd112c02ed302e6017b9a8

memory/2336-166-0x0000000000F50000-0x0000000000F62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\08e15ae4-b0bd-46ab-8ea8-ee5c2ea8b004.vbs

MD5 30199d74610cd7bfb7c1baf3040a6b5c
SHA1 5020462ce4a084c986b4362db349441648cec41b
SHA256 74f97f4e012e73ec9c7460057e39cf841c72c8d28bd2bb3fc25d74fc8e6854ce
SHA512 6ac699f97823785b7bb00633e256e1ea2a5af4c0e898fe5ed7c26a585be0662cb0f9b7912fec20de5e0a63c034dd29e1d8b0daba33062202bb71460d47267339

memory/3068-181-0x0000000000340000-0x0000000000834000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c3516bcf-712d-481b-aec4-ededab338546.vbs

MD5 4f0b8e6f9127d931c75eb23b3f0ffaee
SHA1 b004f4fb627251b2f361a4b406855fb319c5e0af
SHA256 04d7661494fbbfbde401f63016913e904e967fd34c678a10c5e8989a2650a543
SHA512 1db2bb1879af0a65c4a345ceec05758ca8561d289981181fad5352a569e09d9a4b51af01c86c6ca0f1e59da4f6077a9a24b2e7b6b0c7e6a99655d855772d22d6

memory/2788-196-0x0000000000FB0000-0x00000000014A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\902d21a0-4bd1-45aa-956a-d6ca506ecebc.vbs

MD5 f91848ecf18e49e622107da5a7f1ea98
SHA1 6cb17ca16bdea9e02ac734a62900bd3425b26b74
SHA256 ba8a61198d85ce4ef2730e57679c785968ac110942ff90e48057e8d8fde04627
SHA512 addc585611b86c08679ecbd17711830dee955a71fe43f108deaeefe6a5e7246005da119e2d01ffb93b25f86e98412c5dcfb57005ffa699a3c1d765f6dd7f7405

memory/1932-211-0x0000000001330000-0x0000000001824000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c2945643-272c-48a6-b009-b7813a405172.vbs

MD5 f64576c211132c3f0aeaca987043a624
SHA1 df966637f65dc300bc8c761efe80432298748e55
SHA256 f4008f272cac47d2b3b34068cfe88fea24fe52509dd8f4794fea3a28ada4a3a2
SHA512 a9427a0e7570b2d05712342a856c99a6882e7940ac9d2df710a63dfdd0ea932b991851946fd55bdc51d554b2c42720f72dfca721f0141ab1f9b1377b4eb3a06b