Malware Analysis Report

2024-11-30 22:11

Sample ID 241115-3zs3xatre1
Target 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099
SHA256 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099
Tags
dcrat evasion execution infostealer rat trojan colibri build1 discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099

Threat Level: Known bad

The file 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099 was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan colibri build1 discovery loader

Colibri family

UAC bypass

Dcrat family

DcRat

Colibri Loader

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System policy modification

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 23:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 23:57

Reported

2024-11-16 00:00

Platform

win7-20240903-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows NT\RCX991F.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files\Windows NT\csrss.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\taskhost.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\RCXA47A.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\DVD Maker\de-DE\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files (x86)\Microsoft Office\1a3909386688ef C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files\DVD Maker\de-DE\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\RCX9D94.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\7-Zip\Lang\taskhost.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\DVD Maker\de-DE\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\Windows NT\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files (x86)\Microsoft Office\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\Reference Assemblies\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\Reference Assemblies\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\RCX86DE.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\7-Zip\Lang\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\Windows NT\csrss.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files\DVD Maker\de-DE\RCX898E.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCXA276.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Setup\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\wininit.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\56085415360792 C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\Setup\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\Fonts\dllhost.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\Fonts\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\system\RCX940E.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\RCX969F.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\Resources\Themes\Aero\fr-FR\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\wininit.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\Resources\Themes\Aero\fr-FR\RCX920B.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\Setup\RCXA90E.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\system\56085415360792 C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\system\wininit.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\Setup\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\Fonts\RCXAB12.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\Fonts\dllhost.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\system\wininit.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
N/A N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
N/A N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
N/A N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
N/A N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
N/A N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
N/A N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
N/A N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
N/A N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
N/A N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
N/A N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
N/A N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
N/A N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
N/A N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Program Files\DVD Maker\de-DE\sppsvc.exe
PID 2932 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Program Files\DVD Maker\de-DE\sppsvc.exe
PID 2932 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Program Files\DVD Maker\de-DE\sppsvc.exe
PID 2932 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Program Files\DVD Maker\de-DE\sppsvc.exe
PID 2932 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Program Files\DVD Maker\de-DE\sppsvc.exe
PID 396 wrote to memory of 680 N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe C:\Windows\System32\WScript.exe
PID 396 wrote to memory of 680 N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe C:\Windows\System32\WScript.exe
PID 396 wrote to memory of 680 N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe C:\Windows\System32\WScript.exe
PID 396 wrote to memory of 2772 N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe C:\Windows\System32\WScript.exe
PID 396 wrote to memory of 2772 N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe C:\Windows\System32\WScript.exe
PID 396 wrote to memory of 2772 N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe C:\Windows\System32\WScript.exe
PID 680 wrote to memory of 1136 N/A C:\Windows\System32\WScript.exe C:\Program Files\DVD Maker\de-DE\sppsvc.exe
PID 680 wrote to memory of 1136 N/A C:\Windows\System32\WScript.exe C:\Program Files\DVD Maker\de-DE\sppsvc.exe
PID 680 wrote to memory of 1136 N/A C:\Windows\System32\WScript.exe C:\Program Files\DVD Maker\de-DE\sppsvc.exe
PID 680 wrote to memory of 1136 N/A C:\Windows\System32\WScript.exe C:\Program Files\DVD Maker\de-DE\sppsvc.exe
PID 680 wrote to memory of 1136 N/A C:\Windows\System32\WScript.exe C:\Program Files\DVD Maker\de-DE\sppsvc.exe
PID 1136 wrote to memory of 2204 N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1136 wrote to memory of 2204 N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1136 wrote to memory of 2204 N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1136 wrote to memory of 1744 N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1136 wrote to memory of 1744 N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1136 wrote to memory of 1744 N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2204 wrote to memory of 2712 N/A C:\Windows\System32\WScript.exe C:\Program Files\DVD Maker\de-DE\sppsvc.exe
PID 2204 wrote to memory of 2712 N/A C:\Windows\System32\WScript.exe C:\Program Files\DVD Maker\de-DE\sppsvc.exe
PID 2204 wrote to memory of 2712 N/A C:\Windows\System32\WScript.exe C:\Program Files\DVD Maker\de-DE\sppsvc.exe
PID 2204 wrote to memory of 2712 N/A C:\Windows\System32\WScript.exe C:\Program Files\DVD Maker\de-DE\sppsvc.exe
PID 2204 wrote to memory of 2712 N/A C:\Windows\System32\WScript.exe C:\Program Files\DVD Maker\de-DE\sppsvc.exe
PID 2712 wrote to memory of 2172 N/A C:\Program Files\DVD Maker\de-DE\sppsvc.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\DVD Maker\de-DE\sppsvc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe

"C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\de-DE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\de-DE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\system\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\My Videos\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\My Videos\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a0998" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a0998" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\My Videos\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Documents\My Videos\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Setup\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Program Files\DVD Maker\de-DE\sppsvc.exe

"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4168a809-0c5c-446f-9422-24333cf4321f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce009a05-6605-40f5-bc74-8a2c2e4cccea.vbs"

C:\Program Files\DVD Maker\de-DE\sppsvc.exe

"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d42d2aa3-a12b-48af-ab57-6dc8a356cf78.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a0c2139-8e56-47c5-a85c-282eccd9736d.vbs"

C:\Program Files\DVD Maker\de-DE\sppsvc.exe

"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55618d34-8e8d-4608-9725-e2894be7e94b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\016fee74-0d97-4640-be63-e7977b3d04d2.vbs"

C:\Program Files\DVD Maker\de-DE\sppsvc.exe

"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b891d9da-ce65-41b8-ad1d-4b211ee555f6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a9a3141-19e2-4b92-a63b-321d87cd0d32.vbs"

C:\Program Files\DVD Maker\de-DE\sppsvc.exe

"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a61117d-66ed-43c0-8cc9-e1dd6a2f76a7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1eed196-bab8-409d-b0a3-dcec040cfa94.vbs"

C:\Program Files\DVD Maker\de-DE\sppsvc.exe

"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05dc9605-5aed-4b6b-9514-b07f2c3f5614.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa84f080-67c3-49e0-809b-e98a36ad5093.vbs"

C:\Program Files\DVD Maker\de-DE\sppsvc.exe

"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dce88c35-906b-49f9-8b91-f6462be76330.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c96b43c8-9127-4861-8dcd-3c251e9d9a0b.vbs"

C:\Program Files\DVD Maker\de-DE\sppsvc.exe

"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\480b9a70-d1a8-46f8-b5ca-db49d3bb8943.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a5e709b-a857-42a1-b4ec-62af5d655acd.vbs"

C:\Program Files\DVD Maker\de-DE\sppsvc.exe

"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5abf60e7-be24-4994-8b10-5aff32bf3b13.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b39b2a71-20db-4e8f-a005-43ebf728796e.vbs"

C:\Program Files\DVD Maker\de-DE\sppsvc.exe

"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4b34bd7-631b-4176-b227-ad541a38129b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3622f946-46af-4490-97cc-9d4ebd9873d3.vbs"

C:\Program Files\DVD Maker\de-DE\sppsvc.exe

"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebcaa934-05f7-467f-b38b-aa8731e20cf4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0c7de44-41b8-428a-ab2e-a71543bfc0b8.vbs"

C:\Program Files\DVD Maker\de-DE\sppsvc.exe

"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48d0460c-1f17-4e74-9055-22cc88a635ce.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\463cc1a1-faa2-4fca-b0e9-cf8d0591249a.vbs"

C:\Program Files\DVD Maker\de-DE\sppsvc.exe

"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d11cda63-1733-487f-9881-ddf64eaf8df9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31f07690-e989-4cef-b7c4-694832cb2844.vbs"

C:\Program Files\DVD Maker\de-DE\sppsvc.exe

"C:\Program Files\DVD Maker\de-DE\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6340a7fd-e481-40a5-9496-949061b8e034.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e1db9dc-7ebf-49e1-9c79-5834dddb55e3.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/2932-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

memory/2932-1-0x00000000008F0000-0x0000000000DE4000-memory.dmp

memory/2932-2-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

memory/2932-3-0x000000001B7A0000-0x000000001B8CE000-memory.dmp

memory/2932-4-0x0000000000390000-0x00000000003AC000-memory.dmp

memory/2932-5-0x0000000000290000-0x0000000000298000-memory.dmp

memory/2932-6-0x00000000003B0000-0x00000000003C0000-memory.dmp

memory/2932-7-0x00000000003C0000-0x00000000003D6000-memory.dmp

memory/2932-8-0x00000000005F0000-0x0000000000600000-memory.dmp

memory/2932-9-0x0000000000600000-0x000000000060A000-memory.dmp

memory/2932-10-0x0000000000650000-0x0000000000662000-memory.dmp

memory/2932-11-0x0000000000670000-0x000000000067A000-memory.dmp

memory/2932-12-0x0000000000680000-0x000000000068E000-memory.dmp

memory/2932-13-0x0000000000690000-0x000000000069E000-memory.dmp

memory/2932-14-0x00000000006A0000-0x00000000006A8000-memory.dmp

memory/2932-15-0x00000000006B0000-0x00000000006B8000-memory.dmp

memory/2932-16-0x00000000006C0000-0x00000000006CC000-memory.dmp

C:\MSOCache\All Users\services.exe

MD5 c373114b88515ff2956327bf7e65f898
SHA1 56a5b38dbd5a456719b0d429e253a946313a4895
SHA256 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099
SHA512 47f4c17f0759b9c94de7f27d5bc880488eadb22bbc9a1333ea8d63d185d28f349c82f7b8fd410f9bebb30b022abe822613e2393e0e2630dc293c98209be34d2b

memory/2932-136-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

memory/2932-150-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

C:\Program Files\Reference Assemblies\spoolsv.exe

MD5 5399086aaf8216803bfb6b126aee396a
SHA1 f19bccda72834717eb112b2f33fb6a17d89af756
SHA256 5e2df70b00f8f24ad5d3396f75c16c4df89ae7fa818bfd0218a2e25e97723382
SHA512 a5b8cbb840cadc0b956435e942b673ef51aaeba692ff3d7638d5afc1097a95939f2e7cd796e03f8f8b4c3d8ed6868ff4b5f4a28b05dc912df567c34091eaa63c

memory/2340-181-0x000000001B600000-0x000000001B8E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c95bc7771cbdc5e398ea848d55b605c9
SHA1 f3f06a740d307f9f7f840fd3c76f1c987287df22
SHA256 ab370e3fba08f688c3ee98e06006831f02dd8fae773ce05f4b5a3e85aff9a4c4
SHA512 c44abcef986fb978af3d9daa31d36bc7fd3dd19eed68ed33d0f272e2f67ca468349d002137891c1f7c5aa763c4206e20c08cfd8bc958bfbf055ba45043d1b7cf

memory/2340-186-0x00000000027E0000-0x00000000027E8000-memory.dmp

memory/396-221-0x0000000001270000-0x0000000001764000-memory.dmp

memory/2932-242-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

memory/396-243-0x00000000005A0000-0x00000000005B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4168a809-0c5c-446f-9422-24333cf4321f.vbs

MD5 a6dac5d4b628c7268849e42c7180662a
SHA1 e465dfa5d0553bfb5dcfdc981c4d05b7ff0d5933
SHA256 0c2f34b201106bddfd3b7e5c9b9243ab06c4752f9d98e563ee52b2f4d994992d
SHA512 807e7c13f8406e45fd3c3a94daa70d3aebb7f7d8f989c1ca7c2ca55e56ab062b557889260b780f166c75f89433e1133eb6630f2a6d384fb11523d2fdcda73d2f

C:\Users\Admin\AppData\Local\Temp\ce009a05-6605-40f5-bc74-8a2c2e4cccea.vbs

MD5 39ff076509dbfdc6423bed6c8ed3e947
SHA1 17032ec9938327b8d06055bbae040171d715a052
SHA256 71cb905f0dcbf96f79de3fb6d5186a74a5177b7d19c7e41c8a1d239791b6cd00
SHA512 8fccb3ad8789633f5758da912a25ebd12b3519e6908cb02b5cb080af138b5d2231373f19149d702d9eeefe305d8f5d102fad57f12c32f7591642bd229408ce46

C:\Users\Admin\AppData\Local\Temp\tmpCB0C.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/1136-257-0x00000000005A0000-0x00000000005B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d42d2aa3-a12b-48af-ab57-6dc8a356cf78.vbs

MD5 6af8a90404d791b489681a732ba66c1b
SHA1 12df339e4feae27149a3c74fb5b0ff3bbcb4e5ed
SHA256 5ba72da5091595eb32cbfa48bb3323b7deea6b4c9fae49f753c684da6acfd135
SHA512 31f77515b532a47d0686d3c8e828582735ea46002282900089ffa8f5eea83d688cace82599c7ad13d69abcbd5e2037cf4f0c2207814b68c96d035bdb44ace00e

C:\Users\Admin\AppData\Local\Temp\55618d34-8e8d-4608-9725-e2894be7e94b.vbs

MD5 62ff6edc1f190e6775071618f3fdbea5
SHA1 abb43364459153315d9bad3cdead84c97e657cc2
SHA256 9117b0cce774f348fa4ef62cb6c91b70f20e49898bc8ea4a656b48f9db187ebd
SHA512 ac90fe844cdae1ab6ce818a01b898c43a87a9ddaf4dd03d2aaf626700097943eb330600641a2395c0fc263250db7372170246bf4696227075687c5c9bca6b39f

C:\Users\Admin\AppData\Local\Temp\b891d9da-ce65-41b8-ad1d-4b211ee555f6.vbs

MD5 2fe06ba9f2696566a0a145cdd872cc04
SHA1 90b467e41efa030aa11a8507571c6d34a77f4f4a
SHA256 da32991a8103352b2209694009eeda9855ed1eeef47f72b8e54c0f885f72d932
SHA512 2a7748d2599861bad7b6d411840d03328a7f727fbab7b8cac985cf51770e2b9563641014aeeda3caba9279edbac3c60d3f7c935f71464ac87144c5ca40d45a17

C:\Users\Admin\AppData\Local\Temp\0a61117d-66ed-43c0-8cc9-e1dd6a2f76a7.vbs

MD5 7b5d7f382185a820beb3ceace5b774ae
SHA1 02ee1e38419d01c30efa73e02c706496150d8f77
SHA256 2002120ccae5ef05dcf0fa16e81587b619ad91e3389910f3b3c4f6e4eacedfde
SHA512 a38284c48fb0fe5a9a0101a023d7098f5d121d9889e84703066a4ff2f8bf9d0fae807b47ca29e78ea45d2cc3e27ea884402fedf09fedb21a162bb257de114978

C:\Users\Admin\AppData\Local\Temp\05dc9605-5aed-4b6b-9514-b07f2c3f5614.vbs

MD5 99d6a65530148081dc6f3c06554502c6
SHA1 0f8d9ffcad9d178a089a232e42f8488a363d5297
SHA256 c92e0713e6e082d6a15002be97eb34ad40d7e48b19a877c08f45c7f4ea395420
SHA512 757d62228915a1fe2ab8a6f98470aa8884ce9e5872022293c81720cc8493c22c6a18750c24b5b8d3659be55ab90206090644bcfec8015323391d6ee5debe7e84

C:\Users\Admin\AppData\Local\Temp\dce88c35-906b-49f9-8b91-f6462be76330.vbs

MD5 ddd0a456537c28d36588e25345cb5854
SHA1 a9740f7846ec4ef7d29bc4793a0754481c3ed62f
SHA256 24e8a86920da543aacc05645ec31aa581e5abdd16c9202958a2c8b1bd0ad75f4
SHA512 07a1d508f3ae4bf426e74dd28049ea5bcfb3f3e88dec07930e9afc17e44d200f1272b3ab3f623a20986bcdc63c325ed05bb2c6226f62fcaeede733da026f567d

C:\Users\Admin\AppData\Local\Temp\480b9a70-d1a8-46f8-b5ca-db49d3bb8943.vbs

MD5 8cdbf1bd743ef622ab88341a2c36fbe4
SHA1 b70a4b093457534c295796e5c2391ae084c2067a
SHA256 8eae7e25f4681f83b206376db00c58ea917f0d2c70a7cddbc2b54b4a6eb03e34
SHA512 15cadf745c97e44cd762711846820a09630963d68a01375af0d1ebe5634a80dee14b1c0760fa1938690efb3a83f4bdc26335022033338d31059c8fbb6cf79d16

C:\Users\Admin\AppData\Local\Temp\5abf60e7-be24-4994-8b10-5aff32bf3b13.vbs

MD5 7322bd66f14f3ebda6212ea87180afa8
SHA1 9e10336dac690f4f477f8b2c4a54f92909b69ed9
SHA256 1f84686c30d74afd65a30aec47e778c9eb34b3a4c74a0e78358e11c4c79e6e82
SHA512 73cf03fa1e17d9e4922cc8e78b19d39557ad4486c85b168eaa735339ea35a7246be014af575a304367d5b3689cf717732b3849e80f26e235e5d57512e92332c8

C:\Users\Admin\AppData\Local\Temp\f4b34bd7-631b-4176-b227-ad541a38129b.vbs

MD5 761370f9c911d9f7fe424ee74f42d925
SHA1 c593271c4bc9ead43d0f60b9ae4f5d70623c03bf
SHA256 3caa5dcad8fa7710b39397d8fd7e0a9230ac99fc0128db5ea9605b7e799b5c06
SHA512 1d62b6a34ca3acc67e483441fe65b80afda96f35c68352de4e2a7cc5fc4becfc390fb12f9ce11650746b36fb6713af02b1b1b9cddb633b142652ce35864d4288

C:\Users\Admin\AppData\Local\Temp\ebcaa934-05f7-467f-b38b-aa8731e20cf4.vbs

MD5 0aa061bee821bbedc7c9e20aa4af36a1
SHA1 a5bcc9e5f6f7130fffc0b601b94cb1629573bec6
SHA256 5f1b4b305f89d239325368a04cf5f684664a720f118804b29b46890ea7938c6c
SHA512 d9ffa7f52d0e2f65de827d95a675772520cfa56241c3634827ed8b2de4eff22a9af7584e65c8d6ee7b6dc0095ef3a4d785d9d12caa11f074e8ce1bd5833927ca

memory/1836-398-0x00000000001A0000-0x0000000000694000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\48d0460c-1f17-4e74-9055-22cc88a635ce.vbs

MD5 3526ca0b6de24f1ecd4b10ac7f068406
SHA1 361a4ccb376305872ff1f6d39cfdde2e9fa37401
SHA256 d9b9bfe51007bce3f995be18d86bcedfc44ff7e6d183e2f1e598557bbf0c56ce
SHA512 8543889603db841750bd58d390648b1961840f2402035353d3904a296799c58898607f812277fc3628362e055e6842f4f269216c6fb82f314e2ce017fc1a9c57

memory/2840-413-0x0000000000E60000-0x0000000001354000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d11cda63-1733-487f-9881-ddf64eaf8df9.vbs

MD5 69b1c01002ef36e8ed3b44ad9bba773d
SHA1 3f5522280dc033f861a994e394e438962e4a07a1
SHA256 cccdffd960f43832557b0d714b853dbf7ff59cf205ffbbe7016775c919d901ef
SHA512 d571e3d2d1b5b34ee371d2d6d750e57c18f65b862c3560fbfed1c8306d3d7dbc50c80712e183d295a081f7d8af94af362f78f63d987ef8fcd6e682da27f55da2

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 23:57

Reported

2024-11-16 00:00

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe"

Signatures

Colibri Loader

loader colibri

Colibri family

colibri

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\L2Schemas\RuntimeBroker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5E48.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5E48.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBC85.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBC85.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBF8D.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBF8D.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDF3B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDF3B.tmp.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\L2Schemas\RuntimeBroker.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4840 set thread context of 2364 N/A C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe
PID 4236 set thread context of 4496 N/A C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe
PID 2304 set thread context of 2956 N/A C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe
PID 3972 set thread context of 4128 N/A C:\Users\Admin\AppData\Local\Temp\tmp5E48.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp5E48.tmp.exe
PID 3048 set thread context of 2184 N/A C:\Users\Admin\AppData\Local\Temp\tmpBC85.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBC85.tmp.exe
PID 1240 set thread context of 3652 N/A C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe
PID 2940 set thread context of 2300 N/A C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe
PID 4360 set thread context of 3328 N/A C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe
PID 1080 set thread context of 3204 N/A C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe
PID 2404 set thread context of 4360 N/A C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.exe
PID 1956 set thread context of 4588 N/A C:\Users\Admin\AppData\Local\Temp\tmpBF8D.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBF8D.tmp.exe
PID 2164 set thread context of 4268 N/A C:\Users\Admin\AppData\Local\Temp\tmpDF3B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpDF3B.tmp.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\System.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RCXC0E1.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\Microsoft Office 15\csrss.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\Microsoft Office 15\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\7.0.16\RCXC305.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\7.0.16\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RCXC9CE.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\RCXD4EF.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCXDD2F.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\dotnet\host\fxr\7.0.16\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\dotnet\host\fxr\7.0.16\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\csrss.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\System.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\RCXDB1B.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\bcastdvr\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\Globalization\dwm.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\L2Schemas\RCXD0C6.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\Globalization\dwm.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\Help\Windows\ContentStore\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\L2Schemas\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\Help\Windows\ContentStore\RCXCC7F.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\Help\Windows\ContentStore\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\bcastdvr\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\Globalization\RCXC7BA.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\Help\Windows\ContentStore\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\bcastdvr\RCXCEA2.tmp C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\bcastdvr\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File opened for modification C:\Windows\L2Schemas\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\Globalization\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
File created C:\Windows\L2Schemas\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp5E48.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpBF8D.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpDF3B.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpBC85.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\L2Schemas\RuntimeBroker.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
N/A N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\L2Schemas\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1568 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe
PID 1568 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe
PID 1568 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe
PID 4840 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe
PID 4840 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe
PID 4840 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe
PID 4840 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe
PID 4840 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe
PID 4840 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe
PID 4840 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe
PID 1568 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\cmd.exe
PID 1568 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe C:\Windows\System32\cmd.exe
PID 368 wrote to memory of 868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 368 wrote to memory of 868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 368 wrote to memory of 3548 N/A C:\Windows\System32\cmd.exe C:\Windows\L2Schemas\RuntimeBroker.exe
PID 368 wrote to memory of 3548 N/A C:\Windows\System32\cmd.exe C:\Windows\L2Schemas\RuntimeBroker.exe
PID 3548 wrote to memory of 3832 N/A C:\Windows\L2Schemas\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3548 wrote to memory of 3832 N/A C:\Windows\L2Schemas\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3548 wrote to memory of 1860 N/A C:\Windows\L2Schemas\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3548 wrote to memory of 1860 N/A C:\Windows\L2Schemas\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3548 wrote to memory of 4236 N/A C:\Windows\L2Schemas\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe
PID 3548 wrote to memory of 4236 N/A C:\Windows\L2Schemas\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe
PID 3548 wrote to memory of 4236 N/A C:\Windows\L2Schemas\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe
PID 4236 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe
PID 4236 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe
PID 4236 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe
PID 4236 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe
PID 4236 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe
PID 4236 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe
PID 4236 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe
PID 3832 wrote to memory of 2656 N/A C:\Windows\System32\WScript.exe C:\Windows\L2Schemas\RuntimeBroker.exe
PID 3832 wrote to memory of 2656 N/A C:\Windows\System32\WScript.exe C:\Windows\L2Schemas\RuntimeBroker.exe
PID 2656 wrote to memory of 2852 N/A C:\Windows\L2Schemas\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2656 wrote to memory of 2852 N/A C:\Windows\L2Schemas\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2656 wrote to memory of 1192 N/A C:\Windows\L2Schemas\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2656 wrote to memory of 1192 N/A C:\Windows\L2Schemas\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2656 wrote to memory of 4696 N/A C:\Windows\L2Schemas\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe
PID 2656 wrote to memory of 4696 N/A C:\Windows\L2Schemas\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe
PID 2656 wrote to memory of 4696 N/A C:\Windows\L2Schemas\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe
PID 4696 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe
PID 4696 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe
PID 4696 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\L2Schemas\RuntimeBroker.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe

"C:\Users\Admin\AppData\Local\Temp\83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Globalization\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\Windows\ContentStore\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Help\Windows\ContentStore\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\Windows\ContentStore\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Windows\bcastdvr\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iR3fCogaVc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\L2Schemas\RuntimeBroker.exe

"C:\Windows\L2Schemas\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa582840-a3be-4f02-a687-f1865c264ee2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0c15e39-27a2-4921-8a13-70b39d24c2eb.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp73E.tmp.exe"

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c287192-3253-437f-b103-603a45f81459.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4fd6195-3bd6-4f24-82db-ad7a06f84448.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp.exe"

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c1595a1-b405-4080-beb4-63fe4fc46632.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\172c2b50-0397-4f24-884b-72baeed05231.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp5E48.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5E48.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp5E48.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5E48.tmp.exe"

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16336378-f9ec-4578-b7dc-6390a5dd4b77.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\773442b3-a309-4d9e-8ffd-e39b9d06481a.vbs"

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb515cb5-db08-4484-9022-78b8974da11c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c618794-7a1f-44cb-85ac-a110b5768040.vbs"

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ff1ed28-0640-4c16-aa37-04bc878bfc8f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c79cb528-8b16-430b-be0d-f68d2c692599.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpBC85.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBC85.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpBC85.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBC85.tmp.exe"

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05f116f2-ac0d-43ab-a84d-1c4d758ca0d9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2af269d5-d3b0-459c-8151-b732b12fe997.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF037.tmp.exe"

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67f89bc7-c2c4-45b5-ac87-ec7b2074a6ce.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36b4282c-c05b-4b48-aea0-738656e28646.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe"

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9360082b-46ba-4fc7-ba18-cbac774d3d65.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11b2f92a-efc5-4a3c-b397-a881877686af.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp32AF.tmp.exe"

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57f82647-da11-41cd-9c5d-8a005bda3d76.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\475115af-b8fd-4c1f-b9f6-61ac67eba8bb.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4F6E.tmp.exe"

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9315a680-2aeb-4f02-9dda-ebb34534958a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df606b32-650f-4bab-a354-c060b708d22e.vbs"

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be62b14d-9176-4cf9-8755-2fe53f9d53b8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\941d8491-7d5b-48b5-9c29-eac67576d22d.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.exe"

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cadb23f-3678-4dbc-bedf-566dbc69a5ba.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5e8c313-b220-44d3-b31b-769eb7646bf4.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpBF8D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBF8D.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpBF8D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBF8D.tmp.exe"

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb09bd97-b401-4f94-8259-50951f507031.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66f0b135-f222-4ae8-bc3a-4d97cf995899.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpDF3B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDF3B.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpDF3B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDF3B.tmp.exe"

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\L2Schemas\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e120433-4275-43a8-94ea-898b7ed35d35.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9b57f93-7be3-49fa-b4b9-c85619124a0c.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 200.186.67.172.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 139.92.23.2.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp

Files

memory/1568-0-0x00007FFD0AF03000-0x00007FFD0AF05000-memory.dmp

memory/1568-1-0x0000000000C00000-0x00000000010F4000-memory.dmp

memory/1568-2-0x000000001BEC0000-0x000000001BFEE000-memory.dmp

memory/1568-3-0x00007FFD0AF00000-0x00007FFD0B9C1000-memory.dmp

memory/1568-4-0x0000000003480000-0x000000000349C000-memory.dmp

memory/1568-7-0x00000000034A0000-0x00000000034B0000-memory.dmp

memory/1568-5-0x000000001C640000-0x000000001C690000-memory.dmp

memory/1568-6-0x00000000032F0000-0x00000000032F8000-memory.dmp

memory/1568-9-0x000000001BEA0000-0x000000001BEB0000-memory.dmp

memory/1568-8-0x00000000034B0000-0x00000000034C6000-memory.dmp

memory/1568-10-0x000000001C5F0000-0x000000001C5FA000-memory.dmp

memory/1568-11-0x000000001C600000-0x000000001C612000-memory.dmp

memory/1568-15-0x000000001C630000-0x000000001C63E000-memory.dmp

memory/1568-14-0x000000001C620000-0x000000001C62E000-memory.dmp

memory/1568-13-0x000000001C610000-0x000000001C61A000-memory.dmp

memory/1568-12-0x000000001CBC0000-0x000000001D0E8000-memory.dmp

memory/1568-17-0x000000001C6A0000-0x000000001C6A8000-memory.dmp

memory/1568-18-0x000000001C6B0000-0x000000001C6BC000-memory.dmp

memory/1568-16-0x000000001C690000-0x000000001C698000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe

MD5 c373114b88515ff2956327bf7e65f898
SHA1 56a5b38dbd5a456719b0d429e253a946313a4895
SHA256 83e228fd66e0c73d31c2b9d4e6644ad3275c6d4b6224f5b893e344603810a099
SHA512 47f4c17f0759b9c94de7f27d5bc880488eadb22bbc9a1333ea8d63d185d28f349c82f7b8fd410f9bebb30b022abe822613e2393e0e2630dc293c98209be34d2b

C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/2364-60-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1568-130-0x00007FFD0AF03000-0x00007FFD0AF05000-memory.dmp

memory/1568-140-0x00007FFD0AF00000-0x00007FFD0B9C1000-memory.dmp

C:\Program Files\Windows Security\BrowserCore\en-US\System.exe

MD5 6283810fd0c6ee940d7bb41c1645bd10
SHA1 224c27ef424b906f7261974f4ad2921a961a1559
SHA256 37223a1c53df3ac06c2699269ebb4b517bbd3b6282da413dcb2031446bbe7f63
SHA512 e1e788b727c8d3170e9a8f2c522f23d1c1a274eea1fde931bd5dccef3e0e91480c0ad73ca5fa3b209d9d06eb8e12211f8837883bfd2a4ca301a9e3f12cc7c216

memory/1568-160-0x00007FFD0AF00000-0x00007FFD0B9C1000-memory.dmp

memory/4416-161-0x000001CCAD5B0000-0x000001CCAD5D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmcdma0q.i3z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\iR3fCogaVc.bat

MD5 274ee6de0f9b0d95c050bd084a1a4794
SHA1 58df64dc5dc35138829b0acf59290afec707c2b8
SHA256 a0a7d76dd33bf55bb96a08a6742eda8c7039bb4948c762783a39c6af8c6572aa
SHA512 dce4c6b550f83cdff98d0a2f936574d28947ecc4e5468e8df08b1294df415398c1610f8cb416bf93791b105935f1b12a2a322c7590725b58ca752c0153395fe4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Temp\fa582840-a3be-4f02-a687-f1865c264ee2.vbs

MD5 49b3a9688859b4e23f09e6ac066f3792
SHA1 ab02411ba2be4dfd818b696a9514ecb4b2ba273d
SHA256 f02db771a26abcfc2320999f67416b38599fab7fe148ff1a8f258ce4b7331edf
SHA512 5b04f6fe043bb3be3f117b4981ac4c5e28fe2c7fc6d4a2ac2a8570e9b761d37e88f24d9dd60e144677de713c5b80b8265dbf7f2a6c7eda0f2a2f346e169b10a9

C:\Users\Admin\AppData\Local\Temp\a0c15e39-27a2-4921-8a13-70b39d24c2eb.vbs

MD5 2b7a09b0bc7adf077963ba0dffe84e08
SHA1 3d4e158ce9774ab25ded1dbb21aa012181ae75e6
SHA256 219de39c24fda58eb16f6c3e00ac61d59267c05dafcb9ea15391b6012669e082
SHA512 d0a5b1bbbf3ac82e65d4526cd86416f4456277e5a9e731a580932d4cffee53b81958fbbf9ebe6aa362b440800b6ce6a2b6d62c428bbabb70a7376e0412232b6b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\3c287192-3253-437f-b103-603a45f81459.vbs

MD5 6c991e272b1ef8bd5e9c3b2dc00fc0c9
SHA1 5ab5f73432ff967f6fa9c16346a49b6193ad9b76
SHA256 3784ac15a0ed8a5d3d55bbf4f00c7fbdead1940b4e1fd27316356a87304285e7
SHA512 f50c6e9cea4d74d5cd2eb71763842782afcf2262ec92f92a3d258c69d8c4c67e07bc9a168b62be6c98831da568dbfda13c0dde1bbaf412672d17a9f710c8b130

C:\Users\Admin\AppData\Local\Temp\0c1595a1-b405-4080-beb4-63fe4fc46632.vbs

MD5 5a76a57d1aa27235802e30f04afbd9e5
SHA1 566e79256f210e50856948dcefb4b398f85e420a
SHA256 cd38dc73ec99fa73a3f1c7af8792783813e6f9a3a93f3b6edcae1b888ab8e622
SHA512 3afc8edac1eec9ceb8f51055dd787fb98c83e6a797905035711cab6066d4585f1d394c7901dc7c5a407dee06d49b2263703b808e5ca4feb10559a1d8f8b89395

C:\Users\Admin\AppData\Local\Temp\16336378-f9ec-4578-b7dc-6390a5dd4b77.vbs

MD5 3411f6c19b4597e522fe7e73de27df25
SHA1 cc3f1c6c26f97953057f2f2cbf203a0f9a5efd2d
SHA256 f690d287604f56be0a9cd7c573dac6a285bc8d65e27e551a7041dc73ad4a12fa
SHA512 9ee2ae47e282a57e1c0bd05265109c570129214aec8478294519f82a10402fb117a1d4afd8e3f5e0462b6003a298c697dd4ab4308f28796e1912597329f14309

C:\Users\Admin\AppData\Local\Temp\6ff1ed28-0640-4c16-aa37-04bc878bfc8f.vbs

MD5 9884a09577a92a7dcf87ea6ec9f6a8ec
SHA1 3b6586cf3e7a2ed70f428a4719e27a2bebaaa11a
SHA256 80572f309fb1598cfba966dffd6418e41356e1af2b55a3361f8b7a8b95fa2ebc
SHA512 a9865d4c9c9ca54ef6b2b456f2a43299de4b587f82a66b938c0c4dd5756d578a95fbe17bae2fc5497e209e21793b3d40c6617148016e66e6b9eb592cace88d20

C:\Users\Admin\AppData\Local\Temp\05f116f2-ac0d-43ab-a84d-1c4d758ca0d9.vbs

MD5 541aaa4d888bec5073c081daeb91bc43
SHA1 1ec5cd758aa09891ea5ebd91b75686b9b25b4edb
SHA256 b0fb36ef41aa6906c0ffca345e468d8e54afe680b6323d71a22c69004767c768
SHA512 45295eeb67b705ce2f07b7bcfaabe895e929ba26c560b11453e2771e46c074beee4411aae32b0556445c116ed76a02e0b4dc9c31f819ceb4d509814e6651c596

C:\Users\Admin\AppData\Local\Temp\67f89bc7-c2c4-45b5-ac87-ec7b2074a6ce.vbs

MD5 774fcd06c833f1579802384d68dad1c2
SHA1 7e3ebe540926b7e5847163259734e2d858766bbe
SHA256 d624b659ded526ff632bb60b11d6f520ae172a319b69da0dee998efa6de011b0
SHA512 18fc5f9b25d7bfc6ec78b21c94c79d0e8bd92cff7d2a2f501247e9e551b352f21d5d23c3cf9a8c0c48a1689326d90a4fcab1802a8fb9276a7f3eee09dc6a9fa5

memory/2320-486-0x000000001D640000-0x000000001D652000-memory.dmp