Malware Analysis Report

2024-11-30 22:11

Sample ID 241115-z3atyswldj
Target 3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168
SHA256 3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168
Tags
colibri dcrat build1 discovery evasion execution infostealer loader rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168

Threat Level: Known bad

The file 3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168 was found to be: Known bad.

Malicious Activity Summary

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Dcrat family

Colibri Loader

UAC bypass

Process spawned unexpected child process

Colibri family

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 21:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 21:14

Reported

2024-11-15 21:16

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe"

Signatures

Colibri Loader

loader colibri

Colibri family

colibri

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Internet Explorer\es-ES\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\48d9c7ba3e34e1 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\Registration\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\Offline Web Pages\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Windows Mail\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Windows Photo Viewer\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\IME\IMEKR\HELP\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Idle.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe N/A
N/A N/A C:\Users\All Users\Idle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE2BF.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE2BF.tmp.exe N/A
N/A N/A C:\Users\All Users\Idle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp16FE.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp16FE.tmp.exe N/A
N/A N/A C:\Users\All Users\Idle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp34C7.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp34C7.tmp.exe N/A
N/A N/A C:\Users\All Users\Idle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5109.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5109.tmp.exe N/A
N/A N/A C:\Users\All Users\Idle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8400.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8400.tmp.exe N/A
N/A N/A C:\Users\All Users\Idle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA0B0.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA0B0.tmp.exe N/A
N/A N/A C:\Users\All Users\Idle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe N/A
N/A N/A C:\Users\All Users\Idle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpEC01.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpEC01.tmp.exe N/A
N/A N/A C:\Users\All Users\Idle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1CA6.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1CA6.tmp.exe N/A
N/A N/A C:\Users\All Users\Idle.exe N/A
N/A N/A C:\Users\All Users\Idle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp696E.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp696E.tmp.exe N/A
N/A N/A C:\Users\All Users\Idle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp99E5.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp99E5.tmp.exe N/A
N/A N/A C:\Users\All Users\Idle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB694.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB694.tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3152 set thread context of 2660 N/A C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe
PID 1148 set thread context of 2032 N/A C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe
PID 400 set thread context of 5068 N/A C:\Users\Admin\AppData\Local\Temp\tmpE2BF.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpE2BF.tmp.exe
PID 4980 set thread context of 4348 N/A C:\Users\Admin\AppData\Local\Temp\tmp16FE.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp16FE.tmp.exe
PID 3572 set thread context of 2668 N/A C:\Users\Admin\AppData\Local\Temp\tmp34C7.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp34C7.tmp.exe
PID 764 set thread context of 5112 N/A C:\Users\Admin\AppData\Local\Temp\tmp5109.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp5109.tmp.exe
PID 3760 set thread context of 3740 N/A C:\Users\Admin\AppData\Local\Temp\tmp8400.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8400.tmp.exe
PID 4916 set thread context of 2588 N/A C:\Users\Admin\AppData\Local\Temp\tmpA0B0.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpA0B0.tmp.exe
PID 4964 set thread context of 2288 N/A C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe
PID 1860 set thread context of 4156 N/A C:\Users\Admin\AppData\Local\Temp\tmpEC01.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpEC01.tmp.exe
PID 1920 set thread context of 2108 N/A C:\Users\Admin\AppData\Local\Temp\tmp1CA6.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp1CA6.tmp.exe
PID 1644 set thread context of 1368 N/A C:\Users\Admin\AppData\Local\Temp\tmp696E.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp696E.tmp.exe
PID 4332 set thread context of 4960 N/A C:\Users\Admin\AppData\Local\Temp\tmp99E5.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp99E5.tmp.exe
PID 1688 set thread context of 2836 N/A C:\Users\Admin\AppData\Local\Temp\tmpB694.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpB694.tmp.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\48d9c7ba3e34e1 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCXB10C.tmp C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\sysmon.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files\dotnet\swidtag\088424020bedd6 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\Idle.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXB535.tmp C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files\Windows Mail\sihost.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files\Windows Mail\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files\Windows Mail\sihost.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXA688.tmp C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files (x86)\Internet Explorer\es-ES\sysmon.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\es-ES\RCXB321.tmp C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\lsass.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\es-ES\sysmon.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files\dotnet\swidtag\conhost.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files\Windows Photo Viewer\sysmon.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files\Windows Photo Viewer\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\RCXB7B6.tmp C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files\dotnet\swidtag\conhost.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\Idle.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files (x86)\Internet Explorer\es-ES\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files\Windows Photo Viewer\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files\Windows Photo Viewer\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files\Windows Mail\RCX9F51.tmp C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\lsass.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCXAEF8.tmp C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\IME\IMEKR\HELP\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Windows\Registration\dwm.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Windows\es-ES\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Windows\System\Speech\wininit.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Windows\Offline Web Pages\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Windows\Registration\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Windows\WaaS\services\Idle.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Windows\Offline Web Pages\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Windows\Registration\dwm.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Windows\Offline Web Pages\RCX9D2D.tmp C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Windows\es-ES\winlogon.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Windows\es-ES\winlogon.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Windows\IME\IMEKR\HELP\dllhost.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Windows\IME\IMEKR\HELP\dllhost.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Windows\Offline Web Pages\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Windows\OCR\it-it\csrss.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Windows\IME\IMEKR\HELP\RCX9B19.tmp C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Windows\Registration\RCXA185.tmp C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpE2BF.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8400.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp16FE.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpEC01.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB694.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp34C7.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp5109.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA0B0.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp1CA6.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp696E.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp99E5.tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\All Users\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\All Users\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\All Users\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\All Users\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\All Users\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\All Users\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\All Users\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\All Users\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\All Users\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\All Users\Idle.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\All Users\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\All Users\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\All Users\Idle.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3668 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe
PID 3668 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe
PID 3668 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe
PID 3152 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe
PID 3152 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe
PID 3152 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe
PID 3152 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe
PID 3152 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe
PID 3152 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe
PID 3152 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe
PID 3668 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
PID 3668 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
PID 3044 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe
PID 3044 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe
PID 3044 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe
PID 4532 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe
PID 4532 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe
PID 4532 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe
PID 1148 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe
PID 1148 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe
PID 1148 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe
PID 1148 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe
PID 1148 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe
PID 1148 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe
PID 1148 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe
PID 3044 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Idle.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe

"C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\IMEKR\HELP\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\IME\IMEKR\HELP\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\IMEKR\HELP\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\SendTo\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f1683" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f1683" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\taskhostw.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe

"C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\swidtag\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\swidtag\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Users\All Users\Idle.exe

"C:\Users\All Users\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26d73225-f90f-442f-9468-0d4630e60b5e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46b5f1b7-e386-401e-84ff-4f52d8b1ba0a.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpE2BF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE2BF.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpE2BF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE2BF.tmp.exe"

C:\Users\All Users\Idle.exe

"C:\Users\All Users\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e378230-1cb3-49d8-8ae0-afa7271f9cfe.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86b70446-976e-4f64-b3b8-6409cab954f9.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp16FE.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp16FE.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp16FE.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp16FE.tmp.exe"

C:\Users\All Users\Idle.exe

"C:\Users\All Users\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbccd969-b7f7-45ae-8b7f-d004b33f8afa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8fe2602-767a-4b47-857d-f0de833535cf.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp34C7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp34C7.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp34C7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp34C7.tmp.exe"

C:\Users\All Users\Idle.exe

"C:\Users\All Users\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7eb87086-3506-4786-831c-211ea9db7757.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91e2d1d7-374d-4f35-bfad-4965b0d57a27.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp5109.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5109.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp5109.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5109.tmp.exe"

C:\Users\All Users\Idle.exe

"C:\Users\All Users\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6ca9398-df74-4d0a-af4c-cd8f4904f84c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc1145af-49f9-4926-bde7-edb1fce065d1.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp8400.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8400.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8400.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8400.tmp.exe"

C:\Users\All Users\Idle.exe

"C:\Users\All Users\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58f62781-8546-4500-a184-f194f0fa1610.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01ea3d1d-ef61-4f86-8122-724885ddf2af.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpA0B0.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA0B0.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpA0B0.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA0B0.tmp.exe"

C:\Users\All Users\Idle.exe

"C:\Users\All Users\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9362690-918a-45f5-8fff-ce86c51e177f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a30f534e-4744-4f90-a309-f72904519eac.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe"

C:\Users\All Users\Idle.exe

"C:\Users\All Users\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44348a46-4460-4e12-b7a1-589c1d03244c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76b69431-79f7-4397-966d-a145143c50eb.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpEC01.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpEC01.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpEC01.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpEC01.tmp.exe"

C:\Users\All Users\Idle.exe

"C:\Users\All Users\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63c4eac5-e182-45f6-b188-a18c413466b4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9b3f9ce-7a23-4965-85e7-f20d5cf98494.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp1CA6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1CA6.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp1CA6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1CA6.tmp.exe"

C:\Users\All Users\Idle.exe

"C:\Users\All Users\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e263f4e-aed9-4ee0-a1b8-e631d3136573.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9523f4df-c46f-4e97-a284-6d7b4a3be482.vbs"

C:\Users\All Users\Idle.exe

"C:\Users\All Users\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cabbad5-a2fa-443a-a288-be4d3d62b856.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\250c7bb3-70ab-426d-984a-a49fb9583686.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp696E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp696E.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp696E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp696E.tmp.exe"

C:\Users\All Users\Idle.exe

"C:\Users\All Users\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a79dd4dd-5abc-4b5b-a15c-2198ec5223f4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25edca65-2c5d-479a-885c-12a276c77fb4.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp99E5.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp99E5.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp99E5.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp99E5.tmp.exe"

C:\Users\All Users\Idle.exe

"C:\Users\All Users\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c492d51-24d5-4808-8ef5-4cf89133d06f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7e6ec47-8012-48aa-b7bf-86164b295f87.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpB694.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB694.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpB694.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB694.tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 200.186.67.172.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 142.92.23.2.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/3668-0-0x00007FFA5DF43000-0x00007FFA5DF45000-memory.dmp

memory/3668-1-0x00000000001B0000-0x00000000006A4000-memory.dmp

memory/3668-3-0x00007FFA5DF40000-0x00007FFA5EA01000-memory.dmp

memory/3668-2-0x000000001B4F0000-0x000000001B61E000-memory.dmp

memory/3668-4-0x0000000001290000-0x00000000012AC000-memory.dmp

memory/3668-5-0x000000001B460000-0x000000001B4B0000-memory.dmp

memory/3668-7-0x0000000001320000-0x0000000001330000-memory.dmp

memory/3668-6-0x00000000012B0000-0x00000000012B8000-memory.dmp

memory/3668-9-0x000000001B430000-0x000000001B440000-memory.dmp

memory/3668-8-0x000000001B410000-0x000000001B426000-memory.dmp

memory/3668-10-0x000000001B440000-0x000000001B44A000-memory.dmp

memory/3668-11-0x000000001B450000-0x000000001B462000-memory.dmp

memory/3668-14-0x000000001B4C0000-0x000000001B4CE000-memory.dmp

memory/3668-15-0x000000001B4D0000-0x000000001B4DE000-memory.dmp

memory/3668-13-0x000000001B4B0000-0x000000001B4BA000-memory.dmp

memory/3668-12-0x000000001C190000-0x000000001C6B8000-memory.dmp

memory/3668-16-0x000000001B620000-0x000000001B628000-memory.dmp

memory/3668-17-0x000000001B630000-0x000000001B638000-memory.dmp

memory/3668-18-0x000000001B640000-0x000000001B64C000-memory.dmp

C:\Recovery\WindowsRE\Registry.exe

MD5 2382f8fb2178cff1276f7416428efe5f
SHA1 91516f859638ee108e4c6edb9a2b9a4772e353fc
SHA256 3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168
SHA512 253d4ba57120fbcf9aa908c0aedcca230b4e092b144c008e92372fa61c4cb5f327a73d4d740dce8fb041205c4cef31a0758dba5f08fad0dfcd3f1b287a2e0f1c

C:\Users\Admin\AppData\Local\Temp\tmp9B18.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/2660-66-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3668-138-0x00007FFA5DF43000-0x00007FFA5DF45000-memory.dmp

memory/3668-152-0x00007FFA5DF40000-0x00007FFA5EA01000-memory.dmp

C:\Program Files\Windows Photo Viewer\taskhostw.exe

MD5 9058e68ce038eb947438a1f6e29de40f
SHA1 884b626acab0cb2b7cc5d84644a6c7046821820d
SHA256 85722d6ae54124b990ee1fa8f6e6ca2dfa1fab4b82d5261b7939a305b72356f9
SHA512 e95ef28d5939460f8dcf65501eafd0c04e7542f1d82211e250174adfb3a62e675638b3bcf9c0a85394d19f2b180af194d2d1703d895ca864487e93f6d50d2cb9

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vvzyp4up.elf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3228-171-0x00000181A3D40000-0x00000181A3D62000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe.log

MD5 bbb951a34b516b66451218a3ec3b0ae1
SHA1 7393835a2476ae655916e0a9687eeaba3ee876e9
SHA256 eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA512 63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

memory/3668-263-0x00007FFA5DF40000-0x00007FFA5EA01000-memory.dmp

memory/3044-264-0x000000001BF20000-0x000000001BF32000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8d9b95fdab142bb52f794b152e9b8230
SHA1 badb1d4568eb62dca12181d0c7fb093779c9a4de
SHA256 b2b0ff5c6f0f0bbe286910bc2424d7b747fce3b7d7609cc6434aea99372aaa39
SHA512 3f05056bdec2e72f1342f45639c5a89aa175a3a4fdb8494dda31b346faf970b10cc0ab322533514d8f5b591e051a2a35595b0448918e25dbbc6cf02854276b1e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b7b47377bcaba7a045dc11be31f711b3
SHA1 c915578f1139e3d0ca94d8ea73a17698771400e8
SHA256 23d457e05f8b8fc47e6617fee28d04a7e6fab993751b94514c9308e387c95a1a
SHA512 be381612f831f820e7fb04fa94c7a61954f4bba3d1b2d1112e455b41a6e9322b35e75311fbf24d5ff541a73d56bf79976e1462fee06d337341ad0953325636a3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 21bfc799247c23be8c83723a21d31bb5
SHA1 53b308a69a2e57ce004951c978ea8e008e29ca56
SHA256 eab1228d3d5af575fdf617768fdd5371ca706e4f48a8f9f4583b58663fbc5be3
SHA512 19e9ed32a3c302ea7d4ff23df4f6dfc7ba72775e18ce47f284db22f9059309448d77fd123984adcef11e647403a01f3cf45bd463857af77ae882be885001e746

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 87cb564705472f8a13c922cf687ea4f9
SHA1 f99d3c7696fa8efbdb8ed01aaab4083c5c03f890
SHA256 2708941e880982f7ff2513c1bd93f8f08a560c8771e4cdcd8d32fa9e3ce5a00d
SHA512 5429619aadaf56558f40b47a7c131343ae70fb254c67f0a52eb0c7a319480fc3a33cb5460bdc41ccf964086b9d78b97345c6b759f57cc9224a095f041e645241

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b740f7616c3c3d006afd7e1586758eeb
SHA1 c465af4c07ecb9e3de239c410d3b2ed5de93cdde
SHA256 c11b84252afa74e4f323fcbae853cb45217a65d70ac44dea182f9ec872bd9872
SHA512 d4dd7531d48a9f6d6432fe0d55cefc76139566c54514ba722d76e5bd4371bfca0e491939795883de21901eac98b1af7236ea83281a7dde8befe16719993f185e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2262839c93970e05099a4a7d8d6bf51b
SHA1 5bdc2124f4d84180ab974594fc5d0acce89e02bc
SHA256 df5987de92b53918f66a554e5599a52da01e174b13cd27ac4ba9b12e5b402a65
SHA512 b2c74af14d5f73122c881a2e3e8e94df5c38bc116c837052e21384a3b20167d7746a86680ce88b22e477117924b2fba5d4748135dbd96448e85b77c8bdaf9e1a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4345955c1b5cc2f2c8a6923e677f6a61
SHA1 572a46a5fa74524df83da70b00f40ddb81b5b432
SHA256 14178c711c1c432e590041f1c4e426b664b07b1c3aad6c84b352677330ce3fef
SHA512 6bc29254e9aa6e12b353979f4e3b7689fe586bdcc6a6605f540b9202ab70c7b6c1cf28b25d7d69e8569917b183f62f0f40c8689e9e5d0134b2b6f1c306cbd2b4

C:\Users\Admin\AppData\Local\Temp\26d73225-f90f-442f-9468-0d4630e60b5e.vbs

MD5 78ee09a4e6ace239968d56351e09f2d2
SHA1 afb9561c576a496d336120a0b4ac34db238027b3
SHA256 61708d17da081ca03cbc6bef018cffceb4293904289c4cbd2c09d45313b79c54
SHA512 815de7e3b258cb2fe33d79d5daaa41542b81059814c48a643fc6522fcfca0aaf55b9c649935414c80b48900f0925c46a9bc395b53115fdda9e61deea93d44854

C:\Users\Admin\AppData\Local\Temp\46b5f1b7-e386-401e-84ff-4f52d8b1ba0a.vbs

MD5 5a1215868e76ac4abc136400689681e6
SHA1 f6f5baaf5a016cb3de15dae91e6023b6676cfb79
SHA256 35dc5f297f7311f72edf0dacd58e91727e67c49c5034a09b311c28b66b903c45
SHA512 ea53ce7df704488449aea30175dd5e519f4757221970a74ade9f1d10cca5fc1d6714e9160ca9dc8fc06fac9cf7db9e79272033a12a7bc4e2b277aa9a2b1f950b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\3e378230-1cb3-49d8-8ae0-afa7271f9cfe.vbs

MD5 5479602b5c419e4315b901a7d1d4ba62
SHA1 5dc1e0ed06098a1d85f6649172d0389dc4b8ea16
SHA256 908079db9ab8610fc25d5adef0d6c32b3b60891236f7a719fd7c4689fa481051
SHA512 109d05bcfaa1ea13ff14af39edba97ea9a1af38131f9cb7abe548dcf3ce69afd3852763bb052d048b2d3a77eeb7149ff478ab57ff65779572fc7c71b92f498dc

C:\Users\Admin\AppData\Local\Temp\bbccd969-b7f7-45ae-8b7f-d004b33f8afa.vbs

MD5 86c95f90d64e0a48da536acce3b68549
SHA1 b016b96c2fcdc56634294e035a524baa337a1c86
SHA256 dcddd158de6d0f344d58f82188585d456682c1f5c2e15018d6d1cea6a20922bf
SHA512 6937e80deea2a8865ac8f263ad9e6acb73627fbfbff9879068be8ee8d3efac711c280961119d04a0b5d753dc7c448194e5827f5eb9a9940de593704f9cbe82dc

memory/2456-568-0x000000001BF50000-0x000000001BF62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7eb87086-3506-4786-831c-211ea9db7757.vbs

MD5 74bff4d31c4352739d124f2baaf72fc1
SHA1 fb514b642145ece0dce68d656be3eea2872e3fc1
SHA256 f097dc8a8cecde89c86ddb4b898c37b0bbaca6c8106b71dd99361a9a420611a8
SHA512 b351659202f510cc166c5b2189221ef8643b2955a698aa524c934b01881f3a3901b1d3f5f225b43215304b93090c2037172ccdbcf28cdddcd0ce108e8a72924a

C:\Users\Admin\AppData\Local\Temp\f6ca9398-df74-4d0a-af4c-cd8f4904f84c.vbs

MD5 1517e34725e2ad3dcbc88d89836783d0
SHA1 17bc18ed856c7a814e75936a43234a446d0ca20b
SHA256 9cf03321e8ff000819c3eb6c62c8fe834f63839d02a0e4df1f94a1b8cc90f371
SHA512 f2d3f1fb07f7396e60e13c475f8069d943b53a60bc117e8bf6a160e3783d3c818f6bbf96c5289413bc2b4d0e62b421c1396aaf86ded0aa87d94c0de080fa508e

memory/3572-611-0x0000000002BC0000-0x0000000002BD2000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 21:14

Reported

2024-11-15 21:16

Platform

win7-20240729-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\RCXCA95.tmp C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\csrss.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCXD0C0.tmp C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files\Mozilla Firefox\csrss.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files\Mozilla Firefox\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1520 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
PID 1520 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
PID 1520 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
PID 2176 wrote to memory of 1460 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 2176 wrote to memory of 1460 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 2176 wrote to memory of 1460 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 2176 wrote to memory of 2932 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 2176 wrote to memory of 2932 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 2176 wrote to memory of 2932 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 1460 wrote to memory of 2840 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
PID 1460 wrote to memory of 2840 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
PID 1460 wrote to memory of 2840 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
PID 2840 wrote to memory of 2860 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 2840 wrote to memory of 2860 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 2840 wrote to memory of 2860 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 2840 wrote to memory of 1172 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 2840 wrote to memory of 1172 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 2840 wrote to memory of 1172 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 2860 wrote to memory of 1620 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
PID 2860 wrote to memory of 1620 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
PID 2860 wrote to memory of 1620 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
PID 1620 wrote to memory of 2316 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 1620 wrote to memory of 2316 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 1620 wrote to memory of 2316 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 1620 wrote to memory of 2712 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 1620 wrote to memory of 2712 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 1620 wrote to memory of 2712 N/A C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe C:\Windows\System32\WScript.exe
PID 2316 wrote to memory of 868 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe

"C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Globalization\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\System\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe

"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\437d54f9-aa29-4645-9277-4afb4ed98c0b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61fc45d9-8c3e-43ac-bbe7-51f3c546d97e.vbs"

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe

"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe1a7d70-73bd-4c5d-a6fb-423a2bb09b62.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b262f4f9-6dce-4b0c-9a04-c31ad5c199f6.vbs"

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe

"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faf4e194-07ee-4795-aa19-faf2505617c9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca3ff2b6-f210-4416-9f28-d0f83fa627e3.vbs"

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe

"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44e87d97-29b8-41df-8fbd-cfc6bdca3409.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fec12ee3-04cf-49df-81d4-4a79f4873c08.vbs"

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe

"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad93c40d-e261-467f-b9ba-2a9729fad68a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1926dcb8-69dd-4b7c-9d20-5c4f580e2341.vbs"

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe

"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d888c5eb-accf-4a37-a17a-2ddf9df1bf6b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\066151ee-8660-4e9c-bf6a-665c1f74f030.vbs"

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe

"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b6aa3a1-09a5-4277-b9c6-3d46d4b8f022.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d90a8da2-b65a-4977-9170-23e7b04d47d8.vbs"

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe

"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfaa23e0-3380-4b1f-a254-af2384269a5f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e49a225d-8f69-4af7-8222-08fe466c3d1d.vbs"

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe

"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29d23f3a-9c58-4288-886b-131acb0bb0ad.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88d28a50-c9fb-4405-b027-eaf61f95293c.vbs"

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe

"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f2dd7d5-f865-4c01-8126-faa22a83fba3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5827e03c-3f95-4e9b-a971-bb29ba2dca78.vbs"

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe

"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dfed9d6-7f0c-4fbf-83f3-8964278c44d1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\730528f3-1724-4ba6-ad04-861a9eeb5c4f.vbs"

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe

"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c126b3d0-1c5c-4dd3-9db4-ab7e0055c688.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04e9aef9-4259-4ec7-b393-218b68d7ab0a.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp
US 172.67.186.200:80 81888.cllt.nyashteam.ru tcp

Files

memory/1520-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

memory/1520-1-0x0000000000C60000-0x0000000001154000-memory.dmp

memory/1520-2-0x000000001B100000-0x000000001B22E000-memory.dmp

memory/1520-3-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

memory/1520-4-0x0000000000490000-0x00000000004AC000-memory.dmp

memory/1520-6-0x0000000000640000-0x0000000000650000-memory.dmp

memory/1520-5-0x00000000004B0000-0x00000000004B8000-memory.dmp

memory/1520-8-0x0000000000670000-0x0000000000680000-memory.dmp

memory/1520-7-0x0000000000650000-0x0000000000666000-memory.dmp

memory/1520-9-0x0000000000680000-0x000000000068A000-memory.dmp

memory/1520-10-0x0000000000690000-0x00000000006A2000-memory.dmp

memory/1520-13-0x0000000000B30000-0x0000000000B3E000-memory.dmp

memory/1520-12-0x00000000006B0000-0x00000000006BE000-memory.dmp

memory/1520-11-0x00000000006A0000-0x00000000006AA000-memory.dmp

memory/1520-16-0x0000000000B60000-0x0000000000B6C000-memory.dmp

memory/1520-15-0x0000000000B50000-0x0000000000B58000-memory.dmp

memory/1520-14-0x0000000000B40000-0x0000000000B48000-memory.dmp

C:\Program Files\Mozilla Firefox\csrss.exe

MD5 2382f8fb2178cff1276f7416428efe5f
SHA1 91516f859638ee108e4c6edb9a2b9a4772e353fc
SHA256 3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168
SHA512 253d4ba57120fbcf9aa908c0aedcca230b4e092b144c008e92372fa61c4cb5f327a73d4d740dce8fb041205c4cef31a0758dba5f08fad0dfcd3f1b287a2e0f1c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe

MD5 c5a15d72819f9c0a208aba57a79c4eef
SHA1 959aa3b2d2762b2a5f66eb1a291cd0eeb9383904
SHA256 733276b7ff650890eeb774a34e2a763f2c1f5aff1c4829aa6eff1c074305925b
SHA512 32bd845cd48341ec35973145938fe78854fd99a40b4c13552504f185fe1ba1ef78be2920f13c90b8507344d6d14b82956fdc594680a63050fbf6ff0d317e480a

memory/2112-127-0x0000000001E70000-0x0000000001E78000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9380377cb7ee3b0870e1e88eacf491eb
SHA1 d8532c2c202a55dc610fdb4a55300294c56a2c84
SHA256 c93f6944a1e8566541636cb1b62e492d1bf1c837bfed1e610325fdf4b17dd630
SHA512 d628ed98bf688d7188c2abac534ba1dfc8afc8eb3b3456449290830323bee88f69bbeaa3de1704c7094571e74a7400e53acd8f07f8a6ad75336766f175f1ea99

memory/2112-126-0x000000001B690000-0x000000001B972000-memory.dmp

memory/2176-180-0x0000000000D60000-0x0000000001254000-memory.dmp

memory/1520-181-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\437d54f9-aa29-4645-9277-4afb4ed98c0b.vbs

MD5 2e7dbe16bfaafed08f464dc882984658
SHA1 f97aa7e9ca3fbccc298449e0fe13948382ca0cb3
SHA256 c765930b90570f3807f4523659859cc19a96ebd526b44a8d81a0ccc3764c9cd5
SHA512 41fa11e141eeb0a9e28e3ae6e381128627bfcf8644155f63be93e96ef007421486c035aeb51fae1afbe991e8118f710d8285c9d83595fc4e10a6a78593a22a93

C:\Users\Admin\AppData\Local\Temp\61fc45d9-8c3e-43ac-bbe7-51f3c546d97e.vbs

MD5 b64310aec6b2d6d95712e21ae2cf2851
SHA1 42e89dd5f377d95329fc486a6a34b82f51cd499a
SHA256 e1cb6ee186e3c406853945ed88a057ba0097a57f8c472b8f7edfadd59d245e71
SHA512 ed6010ac887ee76fedc523bf60c8017428356904b827e1e710ce82a592057bbc51cfff473a872edc0f938202515c3f242d642fc5a1141448dc468b89775261f0

C:\Users\Admin\AppData\Local\Temp\tmpEC71.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/2840-200-0x0000000000EB0000-0x00000000013A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fe1a7d70-73bd-4c5d-a6fb-423a2bb09b62.vbs

MD5 181bdc2cf01c8772623573ccec330d9c
SHA1 c8022a99361d69c325d6d16c172352ddd760b265
SHA256 28ba0ce26b7a146a5c83d380409d145b6fc0c29b3250d46d3296515147aaeb67
SHA512 2f41eadd84c581e0460964fd182ea631a2073ca67c9707df097dfbe5ddc66d4c76b036153bd6a6fc9b234fa65d35cce32c8fded675841dd2712644203c1a3f0f

memory/1620-215-0x0000000000080000-0x0000000000574000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\faf4e194-07ee-4795-aa19-faf2505617c9.vbs

MD5 79025965361b447e213a60a46ce29dc9
SHA1 a66f3215b102979af3253a5c02a6097f295f26e5
SHA256 b2564e99cb32dcdc33bf6916cd6e5c91d607b2f33c8b3f2e1faf29276e2a87aa
SHA512 93c7e7fcec95fb7bc251a7a4347025a1a01b63a6fcdf44dd589d0e8e8a45070fe14a1482c321db8affdbd46f867696082730afd367e27f9584df07a2c6fd1e08

memory/868-230-0x0000000001190000-0x0000000001684000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44e87d97-29b8-41df-8fbd-cfc6bdca3409.vbs

MD5 e904421a49c007ccb35777155b43e372
SHA1 0f174f0ca57edcf59735c4a840a633bb2b55f137
SHA256 8b6871ea2ae62d08901ca13a4cbcf40bbe1f492d51949f60f10de1cf5436b5c9
SHA512 b67008cb3aefc2165bc9c91656a398533b23c896bafcefc32c9b9f05a82835dec0e13bf6cda14022b885e72c9474e840d3d1b95887b792b79f22613719afb733

memory/2780-245-0x0000000000270000-0x0000000000764000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad93c40d-e261-467f-b9ba-2a9729fad68a.vbs

MD5 7f1de6c081abe6f0834bf0981f90797d
SHA1 0c7ee5873d43fa28e83c2a753ee67b19b212ad6c
SHA256 9793aa768d61a2443051b4dea621c9120c2725c5444d4cf29b8cdba61caa975c
SHA512 cad61c781d942f38b47b9d9bc8d13382834254712132c31509827ee00d81327246fa044e10835998c82e6e04f6e9e80b01886b35f870ab41ea4b125e679e1381

memory/2404-260-0x00000000000F0000-0x00000000005E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d888c5eb-accf-4a37-a17a-2ddf9df1bf6b.vbs

MD5 48e995a86d72e366674fff28fdc7ad51
SHA1 03cfefd7f3350809c6d9dc0a8a03a706b3d373dd
SHA256 8f6299e96e221e6594025e7c1ca9aeced9627d4ddca82ea29f3206fb118537b9
SHA512 c634775511e2b6da0adb1517e83df6ce1584cda876a1af4086d3ea4a05a0ba006296bd1d5551118c5dbe6ef335626ab0797cb59dd2d2296f22361f2e160aeea3

memory/344-275-0x0000000000C30000-0x0000000001124000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2b6aa3a1-09a5-4277-b9c6-3d46d4b8f022.vbs

MD5 2652b8e2513a70394b7129a0a17ea9a9
SHA1 7b76f901b70e27496f77c67026a70e43e47416ef
SHA256 abacfce29f2a5c2fd40dd3d7913ecdd51ebb0714f51cfad31e9a167e80c271a9
SHA512 2041c3c5bab29728c717ca760c8a7527622d0dc7dfde17ecd8380d40893a003509d36327d5d5cab6391d37c5ae03426f599e1b89d2ab3f312666cbb88d6f97be

memory/2192-290-0x0000000000E00000-0x00000000012F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bfaa23e0-3380-4b1f-a254-af2384269a5f.vbs

MD5 9c712f1190e58716a5577f9e150a1fe5
SHA1 bcdb82649c18c091879f159352950e9ce133191b
SHA256 4aa8420659f7547a737b7c37d4c18148c2b15f86e2a8adb644fed85a4a666204
SHA512 93f738e98e7ee4e0c17c05c104e4aed29c03e83e9ec6795011ff57b18183429b527bbbdc68bbacc227b3e43291735d9f5cd95b8a480bbcfca8d911ac85d1b862

memory/1664-305-0x0000000000EF0000-0x00000000013E4000-memory.dmp

memory/1664-306-0x0000000000690000-0x00000000006A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\29d23f3a-9c58-4288-886b-131acb0bb0ad.vbs

MD5 490065993ea6d908ed5c7557fe4e8093
SHA1 912d4003bc8617fbb6cfdd73f2e3aa91f77d7ca9
SHA256 c072c73045819c733ef87588fe26f6758530c53947da2b3b4dd55b9ccc90628b
SHA512 721f9734344013d4efcfbdf6fc132fc7de4fc1c2d5772d354963e386ee7c08060706ae35dadd2f4e53e82eb0f20d65b5b2a41f86006822c72df57a7600716bd0

memory/2244-321-0x0000000000050000-0x0000000000544000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7f2dd7d5-f865-4c01-8126-faa22a83fba3.vbs

MD5 9dd671c2977d87a408ba9dbacf2dbe7e
SHA1 8998aa70a900eae143a790261b66c4fef0852eae
SHA256 e1b2249d005c5b0f2cfb5c88a324cf921627a5fe25e54f11b1c73d54fc2142e3
SHA512 d7f3b57b7f61ec0c4d213ab7571017fe7c7b33e5670a6ce95312a85f01bf93abb0f2367d3b01f068221f021c29512c08b9116facd524ed1348b87a98ddf1b3b5

memory/1264-336-0x0000000000E60000-0x0000000001354000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5dfed9d6-7f0c-4fbf-83f3-8964278c44d1.vbs

MD5 166d19239d61ce174ed7425ff0b23c75
SHA1 a37fdf284bc5f474682d9d4830480305f25f67b8
SHA256 d3c7b89867735e2570c69c0dcefd553fbae8dd3150e63c895907890e0b14511f
SHA512 92240665538dcebbcfde2685949c0e15e73a2c0b16f8befec0f529b6486653a11f85f0929177199a31e79b380ebddfee4feb7cca284584ff200a3a3ffac3c64c

memory/868-351-0x0000000000180000-0x0000000000674000-memory.dmp