Malware Analysis Report

2024-11-13 16:53

Sample ID 241109-n9dnmssrh1
Target 7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N
SHA256 7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4
Tags
dcrat evasion execution infostealer rat trojan colibri build1 discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4

Threat Level: Known bad

The file 7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan colibri build1 discovery loader

Dcrat family

Colibri Loader

DcRat

Process spawned unexpected child process

Colibri family

UAC bypass

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

System policy modification

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 12:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 12:05

Reported

2024-11-09 12:07

Platform

win7-20240729-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Uninstall Information\System.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\wininit.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\56085415360792 C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\RCXCD4A.tmp C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\RCXD3C2.tmp C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Program Files\Uninstall Information\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Program Files\Uninstall Information\RCXB888.tmp C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\24dbde2999530e C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Program Files\Uninstall Information\System.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCXCB46.tmp C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\wininit.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\RCXBD6B.tmp C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\winlogon.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Windows\LiveKernelReports\RCXD5C6.tmp C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\RCXBF6F.tmp C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Windows\LiveKernelReports\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Windows\Downloaded Program Files\winlogon.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Windows\Downloaded Program Files\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Windows\LiveKernelReports\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Windows\LiveKernelReports\0001cd3dfe7b3b C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
N/A N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
N/A N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
N/A N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
N/A N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
N/A N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
PID 2112 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
PID 2112 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
PID 2068 wrote to memory of 2752 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 2068 wrote to memory of 2752 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 2068 wrote to memory of 2752 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 2068 wrote to memory of 2716 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 2068 wrote to memory of 2716 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 2068 wrote to memory of 2716 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 2752 wrote to memory of 1212 N/A C:\Windows\System32\WScript.exe C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
PID 2752 wrote to memory of 1212 N/A C:\Windows\System32\WScript.exe C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
PID 2752 wrote to memory of 1212 N/A C:\Windows\System32\WScript.exe C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
PID 1212 wrote to memory of 1056 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 1212 wrote to memory of 1056 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 1212 wrote to memory of 1056 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 1212 wrote to memory of 1208 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 1212 wrote to memory of 1208 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 1212 wrote to memory of 1208 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 1056 wrote to memory of 2576 N/A C:\Windows\System32\WScript.exe C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
PID 1056 wrote to memory of 2576 N/A C:\Windows\System32\WScript.exe C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
PID 1056 wrote to memory of 2576 N/A C:\Windows\System32\WScript.exe C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
PID 2576 wrote to memory of 2524 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 2576 wrote to memory of 2524 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 2576 wrote to memory of 2524 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 2576 wrote to memory of 2280 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 2576 wrote to memory of 2280 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 2576 wrote to memory of 2280 N/A C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe C:\Windows\System32\WScript.exe
PID 2524 wrote to memory of 836 N/A C:\Windows\System32\WScript.exe C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe

"C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Roaming\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Saved Games\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N7" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N7" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe

"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55ed5967-22db-4bfa-bc7b-2db98b3c2e45.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dad0acac-24d9-4c8d-8aa0-0fe11bfa2c9b.vbs"

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\633690a0-454f-4e86-9f10-a9a0e35b3ef0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22016fb9-c982-4c1b-8943-0377196c4f99.vbs"

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ee59cee-53f2-4ef7-97c2-169fb390b514.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03c6e9c6-331d-4d9f-9214-53de40310145.vbs"

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f8ac9c5-0964-4c0f-b635-b8901a7268f7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2757b2e0-5145-4d50-99b5-88bce2fecbd6.vbs"

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07f8a5bc-1cda-455a-9410-71db6582d686.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3f187bc-c9a3-469d-994a-c734220a3175.vbs"

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86eb578a-594e-4e30-87f3-66cac2cb09c4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69baab7a-869c-4099-a750-2e0cae68dc31.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp

Files

memory/2112-0-0x000007FEF5A03000-0x000007FEF5A04000-memory.dmp

memory/2112-1-0x0000000000310000-0x0000000000804000-memory.dmp

memory/2112-2-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

memory/2112-3-0x000000001B450000-0x000000001B57E000-memory.dmp

memory/2112-4-0x0000000000810000-0x000000000082C000-memory.dmp

memory/2112-5-0x00000000008B0000-0x00000000008B8000-memory.dmp

memory/2112-6-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

memory/2112-8-0x0000000000D10000-0x0000000000D20000-memory.dmp

memory/2112-7-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

memory/2112-9-0x0000000000D20000-0x0000000000D2A000-memory.dmp

memory/2112-10-0x0000000000D30000-0x0000000000D42000-memory.dmp

memory/2112-11-0x0000000000D40000-0x0000000000D4A000-memory.dmp

memory/2112-12-0x0000000000D50000-0x0000000000D5E000-memory.dmp

memory/2112-13-0x0000000000D60000-0x0000000000D6E000-memory.dmp

memory/2112-14-0x0000000002410000-0x0000000002418000-memory.dmp

memory/2112-15-0x0000000002420000-0x0000000002428000-memory.dmp

memory/2112-16-0x0000000002430000-0x000000000243C000-memory.dmp

C:\Windows\Downloaded Program Files\winlogon.exe

MD5 0f810e60bd97e1197c9243549d36d0b0
SHA1 ad185690f90853a15eae667f6ca3f68031ce5764
SHA256 7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4
SHA512 4277e074e50e9b46f2bde6f1565569f2ffc3f20f275ef8fb24a5a457d18633531d322b39380d24ee9c118e1e714dcce4f8d4c969ea331455f5f85e9db13052e3

C:\Users\Admin\AppData\Roaming\taskhost.exe

MD5 dd8b854aaba64daa2840bff1a8575ee9
SHA1 9a7a01f4741928a66cd7b4fc40d99dc14147f7b2
SHA256 63181680e1e83afa14e116b2f1af4742e87701508e2537ee6525d88f606f4e44
SHA512 4b45a3e625e395da94720724bbdffa6037b50f32400f8b227f656de256a7ec2d52aefdd9b48ee94efab84e3fd65b146dc93c27f269de988283fbc65dec3d9a0c

memory/2112-130-0x000007FEF5A03000-0x000007FEF5A04000-memory.dmp

C:\Users\Admin\Saved Games\RCXD1BF.tmp

MD5 5ec5944c75c9592ab476f3d46b95fd2b
SHA1 de980131cfab0578240079d90e67ea1fbe69fbc8
SHA256 de01fa3da110649647f54905b1952c41bdeee1467e926f0a313a1b1de92bf461
SHA512 b79ce58c5bf3a3ae691480ebf263e652364e6b8f331bdab81cbf17a6c8151bbb13ecd20df509aef831917c585f3943609223097764fa37dfb733105350a85aff

memory/2112-145-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

C:\ProgramData\dwm.exe

MD5 92fc0a8e12ad7b605214c8984918f120
SHA1 1970a99d4ea49262ad2511e0fad4fb6acf19d982
SHA256 0efb7fbdcdb11efc0cf26e379d12e5a5decfca4a2ea369d19a0631ac3d378269
SHA512 fbaa97de25e173e88a43aa1de4b13d299da4caffe8473bb5a207d72beb146b2884fef8d7b9744e2e02ad3ffcb020121bc270a47ade8148efff5addc38eaa5e44

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 99a497b39e908b8ef0fb786815e51603
SHA1 00a6741780ac4c7f6e30cff1eb29987aa730989b
SHA256 8254abbd97f15527fd719e73fcd0c9d5a8d496a410d5d3d35d49706b2bc6a7a6
SHA512 3939cc589082211ba2ea966ac93055482e9396558643cbd4a6fcf076507a8aea27a8c9630ed6b3cdc2bedf1827d1e78e4530d4a8b40109378b84d93246b31de4

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe

MD5 9ddce935687c32a87452e53dc57b6a0c
SHA1 90f06d9f756cdefa86c67a9416d5462ff4629fb4
SHA256 8080f99bd2bf5841cf814e0daa98ed19a3b131ae0da57ef11a8c31c5c264bf0f
SHA512 741eb832791ce97f9f71a26157728783dc9ba7d7782bdbdae281fb06be660da7fbd5b5bb36a9712e9975efa29804dffe23cb2f95e6f61d1140643eaae7ecdb56

memory/2112-179-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

memory/1144-178-0x0000000001E00000-0x0000000001E08000-memory.dmp

memory/1144-177-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

memory/2068-191-0x0000000000B90000-0x0000000001084000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\55ed5967-22db-4bfa-bc7b-2db98b3c2e45.vbs

MD5 7fbffa4748a3011ea7b2bcaf02d2c367
SHA1 b538cb0b21962ceb0a80014981071fd90330a017
SHA256 52ae940829912a3b048dec4923e47b555e3ad78180795f4b9ebaac7ba9eb830b
SHA512 5fee43b0139cfa15045472bc5a642f8a7a0fad3b366d27a98e25408fe3f301018183ec4aef25a1e75dbdc09477dda075c6f7da199c80d87ae1a036fd7c5ab279

C:\Users\Admin\AppData\Local\Temp\dad0acac-24d9-4c8d-8aa0-0fe11bfa2c9b.vbs

MD5 7d2db8ea4db845a2a0e445232fb6c883
SHA1 e678bfc425615b9a6c91a95aa1dac7d08697ae8d
SHA256 cbecc1549b7a5cd986314a11ac094414521b17fc43a4de7df41368b6929c8fbe
SHA512 c20bc3d49611516e4b9979ee8bbc44eb35f68109d28adc1abf452d91719eda82d8910e1f3d684fc744eacf9fe08d12ddc9ede115ae8204b7cf7160359dddafa3

C:\Users\Admin\AppData\Local\Temp\tmpEDB9.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/1212-240-0x0000000001260000-0x0000000001754000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\633690a0-454f-4e86-9f10-a9a0e35b3ef0.vbs

MD5 0053574ebbbcea3d968368c21c3a5507
SHA1 2e1eb36222763fdb4c7e0bbf4d7a2d3fb8a58aca
SHA256 6864cb8225dac934d248e039d2b77fb836d3a031528b702dc5b1aa0b66659588
SHA512 3b45c2e0c52d8d64078ace691b5c4b49dc93876ede9c3af1e6b2210e2ef23f18b98a2dbb1523cea4c8d81b75da8ca0c4811ae0fc3e12bd5b2210a7b0568ce22f

memory/2576-255-0x0000000000210000-0x0000000000704000-memory.dmp

memory/2576-256-0x0000000002560000-0x0000000002572000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3ee59cee-53f2-4ef7-97c2-169fb390b514.vbs

MD5 f6de270030c59be3feb2f492df4372c2
SHA1 46eb1ed45b6999c2f5c841b279cf84e725b7ca71
SHA256 bb83ff8d9907b0c9e1c4024b908a50c685bd941d36e581259b3851e7e6e4cb52
SHA512 f433f6731a3b123c9e40d3157f8132dfc98d84e858fd4543984e4585409e568b188b8aea01a137a01f2fe54ed87aabfe704b27392ce71cd70c60cb03a2099f00

memory/836-271-0x00000000013B0000-0x00000000018A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9f8ac9c5-0964-4c0f-b635-b8901a7268f7.vbs

MD5 3f8a48614713fc5fc46affeb4240176f
SHA1 4e50354d71fd3b1b0ef1e75eb39a5df49a64e93d
SHA256 62d439f478a65849b8b579f2c6c730b4f677b14564bfdb82591c9d6af45c336c
SHA512 3c413b7e3bc31aa72b1f2a0451385b3cf7df96cc841da91555c7a4e5efc7331a86a54599b87dd068def06f8fc012d2071a84c44b1fdf28155c27ff89d2e9c08c

C:\Users\Admin\AppData\Local\Temp\07f8a5bc-1cda-455a-9410-71db6582d686.vbs

MD5 6b079e5dcddc076c63e291b010b60469
SHA1 f66aa1487d6977f4f4a6f9e5c7cb16c03461399c
SHA256 35df87099d734614d7dbc6887e5b2390babeee985b70c1ebbe657f13a84b7ee5
SHA512 25496242753b84e44a4b42fd4f0df3ae3bcd7ebc588f43b12d7eb2ab55689fdea9a3121ee3ae3c4708a03f66282e66fb2f04ae48daf003e0fa77058b0f554595

memory/952-300-0x0000000000A50000-0x0000000000A62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\86eb578a-594e-4e30-87f3-66cac2cb09c4.vbs

MD5 bab9a00f1a2f38c7f8a9be26b55cffad
SHA1 05a48f2f6ad7850114840545f4c307276484b509
SHA256 e98b54740a316a37b25de116f10ede05f63009f944c1d39ef30710f310773faa
SHA512 52a690f4ba1b07756399d2aea9cf18fbd6cb2ed0cb202c592bb563cdf6a6777b8f7079f17b1a07b44c229e865619e28e50e21d569750ab85a2037a29c55e8ae3

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 12:05

Reported

2024-11-09 12:07

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe"

Signatures

Colibri Loader

loader colibri

Colibri family

colibri

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\SystemResources\Windows.UI.Cred\pris\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Searches\sihost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe N/A
N/A N/A C:\Users\Admin\Searches\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe N/A
N/A N/A C:\Users\Admin\Searches\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe N/A
N/A N/A C:\Users\Admin\Searches\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1A49.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1A49.tmp.exe N/A
N/A N/A C:\Users\Admin\Searches\sihost.exe N/A
N/A N/A C:\Users\Admin\Searches\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5213.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5213.tmp.exe N/A
N/A N/A C:\Users\Admin\Searches\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe N/A
N/A N/A C:\Users\Admin\Searches\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe N/A
N/A N/A C:\Users\Admin\Searches\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpCEE4.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpCEE4.tmp.exe N/A
N/A N/A C:\Users\Admin\Searches\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFFA8.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFFA8.tmp.exe N/A
N/A N/A C:\Users\Admin\Searches\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp30AB.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp30AB.tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3212 set thread context of 3292 N/A C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe
PID 5052 set thread context of 4248 N/A C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe
PID 1820 set thread context of 4636 N/A C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe
PID 5104 set thread context of 4536 N/A C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe
PID 2696 set thread context of 4508 N/A C:\Users\Admin\AppData\Local\Temp\tmp1A49.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp1A49.tmp.exe
PID 3564 set thread context of 5104 N/A C:\Users\Admin\AppData\Local\Temp\tmp5213.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp5213.tmp.exe
PID 4176 set thread context of 3528 N/A C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe
PID 1400 set thread context of 3400 N/A C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe
PID 3988 set thread context of 2764 N/A C:\Users\Admin\AppData\Local\Temp\tmpCEE4.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCEE4.tmp.exe
PID 2696 set thread context of 1196 N/A C:\Users\Admin\AppData\Local\Temp\tmpFFA8.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpFFA8.tmp.exe
PID 3656 set thread context of 976 N/A C:\Users\Admin\AppData\Local\Temp\tmp30AB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp30AB.tmp.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\RCX8F67.tmp C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX93FD.tmp C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCX88AD.tmp C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemResources\Windows.UI.Cred\pris\RCX8426.tmp C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Cred\pris\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Windows\ShellExperiences\dllhost.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File opened for modification C:\Windows\ShellExperiences\dllhost.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Windows\ShellExperiences\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Windows\SystemResources\Windows.UI.Cred\pris\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
File created C:\Windows\SystemResources\Windows.UI.Cred\pris\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpFFA8.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp30AB.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp1A49.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp5213.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpCEE4.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Admin\Searches\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Admin\Searches\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Admin\Searches\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Admin\Searches\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Admin\Searches\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Admin\Searches\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Admin\Searches\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Admin\Searches\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Admin\Searches\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Admin\Searches\sihost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Searches\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Searches\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Searches\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Searches\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Searches\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Searches\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Searches\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Searches\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Searches\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Searches\sihost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4052 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe
PID 4052 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe
PID 4052 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe
PID 3212 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe
PID 3212 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe
PID 3212 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe
PID 3212 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe
PID 3212 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe
PID 3212 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe
PID 3212 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe
PID 4052 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4052 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
PID 4052 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
PID 1576 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe
PID 1576 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe
PID 1576 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe
PID 1576 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Users\Admin\Searches\sihost.exe
PID 1576 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe C:\Users\Admin\Searches\sihost.exe
PID 5052 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe
PID 5052 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe
PID 5052 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Searches\sihost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Searches\sihost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe

"C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemResources\Windows.UI.Cred\pris\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.Cred\pris\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemResources\Windows.UI.Cred\pris\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Oracle\Java\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Oracle\Java\winlogon.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe

"C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\Searches\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Searches\sihost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe"

C:\Users\Admin\Searches\sihost.exe

"C:\Users\Admin\Searches\sihost.exe"

C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e2c8be0-ac57-490e-905b-eebd46554b9e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17553b89-00ce-4f20-93ff-f9a6ef4381b1.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe"

C:\Users\Admin\Searches\sihost.exe

C:\Users\Admin\Searches\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6acd2691-f044-4581-a343-9bf5db782544.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03522d5a-d680-476d-8b8f-597cbe74c35f.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe"

C:\Users\Admin\Searches\sihost.exe

C:\Users\Admin\Searches\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb1f49e1-745d-41bb-b2a1-5a1b5394f778.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51eec009-7f10-46ea-acde-434fe204b022.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp1A49.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1A49.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp1A49.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1A49.tmp.exe"

C:\Users\Admin\Searches\sihost.exe

C:\Users\Admin\Searches\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef7ca4ca-4f60-4fdf-a915-d7a31b0fd49d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5001a5d5-8591-42b3-b8ec-1c1f49e7717d.vbs"

C:\Users\Admin\Searches\sihost.exe

C:\Users\Admin\Searches\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\194b37d3-a4a9-4bec-a823-a0ac02d2279d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9edadea-5d77-417f-8df5-c67fb1b02008.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp5213.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5213.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp5213.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5213.tmp.exe"

C:\Users\Admin\Searches\sihost.exe

C:\Users\Admin\Searches\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ceb08c1d-238f-4551-afe5-267de991b2fb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22580c65-f876-4577-9521-f8b53f6150e3.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe"

C:\Users\Admin\Searches\sihost.exe

C:\Users\Admin\Searches\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61f640cd-8a01-4c52-abed-3f4f4b9b7d42.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9e73cb3-fc7f-4c53-aa2a-ef1ecb9dbe19.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe"

C:\Users\Admin\Searches\sihost.exe

C:\Users\Admin\Searches\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd08280d-7e46-4d4a-bca5-ea3f0f093ee2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\426e46b7-7432-410d-a941-775bb922f476.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpCEE4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpCEE4.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpCEE4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpCEE4.tmp.exe"

C:\Users\Admin\Searches\sihost.exe

C:\Users\Admin\Searches\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c462a84-44b3-4384-b6c1-fcc6f175c686.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b837504-bc5e-4a8e-b5a9-c07971e78c84.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpFFA8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFFA8.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpFFA8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFFA8.tmp.exe"

C:\Users\Admin\Searches\sihost.exe

C:\Users\Admin\Searches\sihost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\269b0063-7dd0-48c8-ae19-063bc75c828c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3a12519-0cf1-4f61-a330-113543cf3463.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp30AB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp30AB.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp30AB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp30AB.tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 200.186.67.172.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/4052-0-0x00007FFA1ADC3000-0x00007FFA1ADC5000-memory.dmp

memory/4052-1-0x0000000000E00000-0x00000000012F4000-memory.dmp

memory/4052-2-0x000000001C140000-0x000000001C26E000-memory.dmp

memory/4052-3-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

memory/4052-4-0x00000000033B0000-0x00000000033CC000-memory.dmp

memory/4052-5-0x000000001BFD0000-0x000000001C020000-memory.dmp

memory/4052-7-0x0000000003440000-0x0000000003450000-memory.dmp

memory/4052-8-0x000000001BF80000-0x000000001BF96000-memory.dmp

memory/4052-9-0x0000000003450000-0x0000000003460000-memory.dmp

memory/4052-6-0x00000000033D0000-0x00000000033D8000-memory.dmp

memory/4052-10-0x000000001BFA0000-0x000000001BFAA000-memory.dmp

memory/4052-11-0x000000001BFB0000-0x000000001BFC2000-memory.dmp

memory/4052-12-0x000000001CDA0000-0x000000001D2C8000-memory.dmp

memory/4052-15-0x000000001C870000-0x000000001C87E000-memory.dmp

memory/4052-14-0x000000001C020000-0x000000001C02E000-memory.dmp

memory/4052-13-0x000000001BFC0000-0x000000001BFCA000-memory.dmp

memory/4052-18-0x000000001C9A0000-0x000000001C9AC000-memory.dmp

memory/4052-17-0x000000001C890000-0x000000001C898000-memory.dmp

memory/4052-16-0x000000001C880000-0x000000001C888000-memory.dmp

C:\Recovery\WindowsRE\fontdrvhost.exe

MD5 0f810e60bd97e1197c9243549d36d0b0
SHA1 ad185690f90853a15eae667f6ca3f68031ce5764
SHA256 7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4
SHA512 4277e074e50e9b46f2bde6f1565569f2ffc3f20f275ef8fb24a5a457d18633531d322b39380d24ee9c118e1e714dcce4f8d4c969ea331455f5f85e9db13052e3

C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/3292-71-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Recovery\WindowsRE\fontdrvhost.exe

MD5 d137d70bf1b6722ae9afa1f8bd43619f
SHA1 8f6de2914d1e5e5afa1e9a71996f10d7aa068187
SHA256 30ad354cd7c248ee62fa1a44fc2239a16b3776efb21366371bb2e2af6af16208
SHA512 aad4cc657efad80821c6d9072bcddbb21403268f6a8042f38bcad53a50f6154afec254aecccc23fb94fbfb697483be92d1982c57826ecf849bc337604d63e7d7

memory/2088-122-0x000002421E810000-0x000002421E832000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q20mla25.juw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe.log

MD5 bbb951a34b516b66451218a3ec3b0ae1
SHA1 7393835a2476ae655916e0a9687eeaba3ee876e9
SHA256 eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA512 63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

memory/4052-223-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0e3b2b9cedce914db7c2e08d42c9e84a
SHA1 2fc57892471fd55556d3b82c6137247b1e9781ca
SHA256 9948769e7c25688af17c7146f7ce8ba25356b615fa9372ab4cdaf0dc21b84747
SHA512 6c61be0aae1c0ef263dc71eeb02b46f252eff319957034d7aeaf2b7d37e8cf870be0519cc310b3d8b86452bc98d63afefe6640cb50b76e238f4fedf171c67d00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 815f9e54d2e55a6cd87a044f75fdba0c
SHA1 9e2c91b5d015a2f96539227ed0a5d83cf26f6c08
SHA256 ec7d07723ca9c032e3662c0a316318065854ed4dc54106a5214278cbd148e75f
SHA512 9198d94b9d3ef35693881e3dc3e1c7f4b42d98f23a27f58cec67309628504de6940f0ac58bff1de2923b9d1b2dd11be82ea98bad9419d2e22f610df01c7401a3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a9a7f35c006bbf5da72f9cb250ffbddb
SHA1 458a8cedc38dac109631d9fccb3bf6d2c5c0e89e
SHA256 a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b
SHA512 d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dcee2c4799aaf7d786c7a18e235934c4
SHA1 92b08222812d2c4392cd5babf316c6509a1d202c
SHA256 33fb8b90e373768d57f2726dc808e2a6319dcea75ed4be819316a4bc3c2f85c1
SHA512 05986414ab12b9b52335528dc4dc1ef6fee378afa09a2858b0ea77cb0c9aaf4339ccae272bbc760ff63d31ad27e8a8206ae0152be82015f49c177cb62b515f32

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 057e7742b25e65a341d1341da25b54a8
SHA1 65c874ac4f429a4172bdf89a73922e39873ecab6
SHA256 f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468
SHA512 94b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7

C:\Users\Admin\AppData\Local\Temp\3e2c8be0-ac57-490e-905b-eebd46554b9e.vbs

MD5 7ceb18f80af1a46c5a7d7d99034c4aa3
SHA1 887f9f395f7fa16b1c7e81214d1bab1a55b4e8d3
SHA256 1e2301e0c0a2f00812f245636f55812d4cfe10d50d14515af8355ac166dffcdd
SHA512 d4e78a7edfbff69e0b98af41d1c7896b9f8fc25a0f31ae2c6d137e8453b2c94a88d738e549dea3485aa085bd4fd38417b1d99f1a8fc7863f0800de641f7233f3

C:\Users\Admin\AppData\Local\Temp\17553b89-00ce-4f20-93ff-f9a6ef4381b1.vbs

MD5 abd8287cf89a2e3bdfb2c68b74db94c4
SHA1 01accab0b9211c4169733832a9b51014cfd40027
SHA256 39a093a32d56a8153e15323ae5abe6117863a36d00854d70ab395420bd5ed989
SHA512 38db5136deaad8f7ba0a4a847f20912f5b43bdf52903aec95a60f000f59962de3c2daaaceb2a9167b63d9b26033c502cb021afa43b3a40952279247168c930c2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

memory/1416-470-0x0000000002BE0000-0x0000000002BF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6acd2691-f044-4581-a343-9bf5db782544.vbs

MD5 4d56e0b6434434ea5e5fa0fe1df2042a
SHA1 6b4fa61a2768c8ba4679534465624cc441eaefb2
SHA256 59fbcea390c97d4980f4ba3b6ac06f666a9632888e906d296d1d03f26961f303
SHA512 b1161666aa614c1395b59bdfb890749f23860038ae6cc171c97cfee7ca18175b28c2df82ef7642e3ebcd400ed03923b5f5cc64cdd9cda8edcdb73c5afe977ad9

C:\Users\Admin\AppData\Local\Temp\bb1f49e1-745d-41bb-b2a1-5a1b5394f778.vbs

MD5 c69c2a0e215cc06aa47d87ad7b42da1f
SHA1 c27c8079c90acda269056880d8196fa8b4133f1b
SHA256 ef4c78a8683077f311250f480a26396ca1e4ad0efba933e0b60851048d8db486
SHA512 2e36ade17de2062894dfe4537eb1ca72c9fe5f59a42af360607efe7022a736a86c6e578a400550f2afcc9855783e334c10e3e1637e0eb6f9bb0a4a81b3423edb

C:\Users\Admin\AppData\Local\Temp\ef7ca4ca-4f60-4fdf-a915-d7a31b0fd49d.vbs

MD5 af9b79eb1c74c2ac9f21110b4a269fd6
SHA1 bfff537542cc7e8c1d92151bf9d3d3e11aef2e5c
SHA256 9ff29bd67e11c03168b205fdce0b3e80bc55885d76aba2d647db4ffb7c647648
SHA512 c429a4b93081f12f39412215de398e422ebdc7dcf68ea52202e66f1825900820fc5d7e87f24a037444f2ef244308375868a5a3e24d56ebcbddaa1bb79a96e3c8

C:\Users\Admin\AppData\Local\Temp\194b37d3-a4a9-4bec-a823-a0ac02d2279d.vbs

MD5 0224486e3a974027b60edc4f5c1e143f
SHA1 c47e6c05d5d65de7d4ea98f93531a84bcfabf716
SHA256 ca58a70804a07826e15042426e4b578065c76f63921b3341a65cd6489a1be7aa
SHA512 3dd5d572149f8d488b87f23667d8529b2d3226d65c8e111d9caf244f84af632adda0261645f3924b35fe84c982c74fb6d99c623d083a99620d9c5c531ae6a8e8

memory/2472-551-0x0000000003700000-0x0000000003712000-memory.dmp