Malware Analysis Report

2024-11-30 22:11

Sample ID 241116-21l6bawcml
Target 2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe
SHA256 2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0b
Tags
dcrat evasion execution infostealer rat trojan colibri build1 discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0b

Threat Level: Known bad

The file 2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe was found to be: Known bad.

Malicious Activity Summary

dcrat evasion execution infostealer rat trojan colibri build1 discovery loader

Dcrat family

Process spawned unexpected child process

Colibri family

UAC bypass

Colibri Loader

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-16 23:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-16 23:02

Reported

2024-11-16 23:05

Platform

win7-20240903-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\spoolsv.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A
N/A N/A C:\MSOCache\All Users\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\MSOCache\All Users\spoolsv.exe
PID 2024 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\MSOCache\All Users\spoolsv.exe
PID 2024 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\MSOCache\All Users\spoolsv.exe
PID 2600 wrote to memory of 2732 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2600 wrote to memory of 2732 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2600 wrote to memory of 2732 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2600 wrote to memory of 2560 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2600 wrote to memory of 2560 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2600 wrote to memory of 2560 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2732 wrote to memory of 2544 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\spoolsv.exe
PID 2732 wrote to memory of 2544 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\spoolsv.exe
PID 2732 wrote to memory of 2544 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\spoolsv.exe
PID 2544 wrote to memory of 2892 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2544 wrote to memory of 2892 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2544 wrote to memory of 2892 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2544 wrote to memory of 2192 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2544 wrote to memory of 2192 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2544 wrote to memory of 2192 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2892 wrote to memory of 1796 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\spoolsv.exe
PID 2892 wrote to memory of 1796 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\spoolsv.exe
PID 2892 wrote to memory of 1796 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\spoolsv.exe
PID 1796 wrote to memory of 1900 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1796 wrote to memory of 1900 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1796 wrote to memory of 1900 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1796 wrote to memory of 876 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1796 wrote to memory of 876 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1796 wrote to memory of 876 N/A C:\MSOCache\All Users\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1900 wrote to memory of 2760 N/A C:\Windows\System32\WScript.exe C:\MSOCache\All Users\spoolsv.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\spoolsv.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe

"C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Downloads\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\dwm.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\MSOCache\All Users\spoolsv.exe

"C:\MSOCache\All Users\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b89acd66-c016-4bf7-af3d-028b3b31646f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\febcef6d-aded-41bd-8413-ee8c095d9157.vbs"

C:\MSOCache\All Users\spoolsv.exe

"C:\MSOCache\All Users\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75b762d3-c6f3-4241-8e92-0d95e7c04955.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\546442b4-de91-4607-bf1b-92468c432f76.vbs"

C:\MSOCache\All Users\spoolsv.exe

"C:\MSOCache\All Users\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5ea4966-79c0-49be-a63b-72fa42c5a7d5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bcfec50-1143-48db-94b9-abf279c9560b.vbs"

C:\MSOCache\All Users\spoolsv.exe

"C:\MSOCache\All Users\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0ea3bac-16c3-43b1-91fc-f9f84830bd4e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6cc9afc-b622-4e8e-9af2-bb8a8528e79d.vbs"

C:\MSOCache\All Users\spoolsv.exe

"C:\MSOCache\All Users\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2d39159-5ce2-4d2e-b744-6507c95fce02.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2db84e0-df25-4599-8f60-083c4b898f6e.vbs"

C:\MSOCache\All Users\spoolsv.exe

"C:\MSOCache\All Users\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25807f83-3a7a-4d1c-b9db-0a0f75cbf6d7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0381ff4e-c1b8-45af-9105-78fe53204d7f.vbs"

C:\MSOCache\All Users\spoolsv.exe

"C:\MSOCache\All Users\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22c19781-566c-4a68-9f5d-44c93249299b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ba21048-f051-43da-8fde-73414c56c2ad.vbs"

C:\MSOCache\All Users\spoolsv.exe

"C:\MSOCache\All Users\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95e7a595-b350-487b-809b-e7df9bdd45f4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3b2998c-ed91-4027-bfd7-34d09146374c.vbs"

C:\MSOCache\All Users\spoolsv.exe

"C:\MSOCache\All Users\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1083acf3-71b8-450b-bc40-c3523bfa1158.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\166b330d-bded-4023-b8ef-076b656f0446.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp

Files

memory/2024-0-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

memory/2024-1-0x0000000000F50000-0x0000000001444000-memory.dmp

memory/2024-2-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

memory/2024-3-0x000000001B310000-0x000000001B43E000-memory.dmp

memory/2024-4-0x00000000009D0000-0x00000000009EC000-memory.dmp

memory/2024-5-0x00000000009F0000-0x00000000009F8000-memory.dmp

memory/2024-6-0x0000000000B90000-0x0000000000BA0000-memory.dmp

memory/2024-7-0x0000000000D30000-0x0000000000D46000-memory.dmp

memory/2024-8-0x0000000000C20000-0x0000000000C30000-memory.dmp

memory/2024-9-0x0000000000E40000-0x0000000000E4A000-memory.dmp

memory/2024-10-0x000000001AF80000-0x000000001AF92000-memory.dmp

memory/2024-11-0x000000001B090000-0x000000001B09A000-memory.dmp

memory/2024-12-0x000000001B1A0000-0x000000001B1AE000-memory.dmp

memory/2024-13-0x000000001B1B0000-0x000000001B1BE000-memory.dmp

memory/2024-14-0x000000001B1C0000-0x000000001B1C8000-memory.dmp

memory/2024-15-0x000000001B1D0000-0x000000001B1D8000-memory.dmp

memory/2024-16-0x000000001B1E0000-0x000000001B1EC000-memory.dmp

C:\MSOCache\All Users\spoolsv.exe

MD5 13b6da3b2c4cb91d305cf9bf20998000
SHA1 99c9b99ae564f1861ee2994eb345c16b2d505048
SHA256 2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0b
SHA512 853e2a327e2a1c5708d5ea12a48c8ebedf7ccea9ba14d2d693681ec892222bdbc1ac23af21d03f1d3cf11273f9a0f15a6577c385d27c4a5868ee9a567295d6c9

C:\Users\Public\Downloads\dwm.exe

MD5 57cae5ee7e13e4069542a0e4af679b61
SHA1 7efc8fe18429de3ea23a8761a997f6342d947c7a
SHA256 27a69f0a6155807db6e42b5ab7da8da2cca67cc496eddad3200ba3567fd37054
SHA512 616a879a3d674b04f59a8fbe89d83e9b6bee941380cbd352363b0b40fa4b49941b09f54da2f9a21e3f16617b5bc47729d8d1ca470b871c8d1561551856d1df8f

memory/2600-51-0x0000000000F30000-0x0000000001424000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 123674536bae3fd62ee91936badfe819
SHA1 370a6570081460acc0ec49922aa1d7d9a6dd1641
SHA256 7b96e3b12d711e343fdec8657a70f00c3c8d2fc86410e57a7bee18dddb8a8855
SHA512 be2f08188b16ae609468ab5dc4b8e3e774b858f733dddd7eaf852c7afc3ad5b44ae1f371c2f240b10888c855c50c1167daeccf99c027dc72c2cbe9f29322a98e

memory/2420-56-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

memory/2024-62-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

memory/2420-57-0x0000000002790000-0x0000000002798000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\b89acd66-c016-4bf7-af3d-028b3b31646f.vbs

MD5 345bf6cdbe44b6d90a48c8b5fa610f0a
SHA1 4074addf0faecc61cfdcc486367dc5e080f289c1
SHA256 df0615cd12a6b1cc29c4fa16c3bf2f38bede42baf9e3a686333d026ce51ff31d
SHA512 ddc4f4606e83fb116747fef80f9aa3bcb73891a5696fb29b4408cbe90871cdfe199d34932308343c94263a6484055ebf6b3d9059cd84886dac02a949f43c53a4

C:\Users\Admin\AppData\Local\Temp\febcef6d-aded-41bd-8413-ee8c095d9157.vbs

MD5 13100a90486d77a38c059a7638dc06a5
SHA1 eaf9f6cc43d8f24b4bba5052550fcf4336297a12
SHA256 db6ed00e9d4a1482cefef54f21650d3ba80a2edd223e32c0f5acca2767e76d64
SHA512 730690fd896aca065040c32ba20877b3ae8c3f3d2ae86f4c994173703e96cacc37c47a6daf0f585c0d568775a0c05cef223c2d6d99dec09e06a3a5b11513da0a

memory/2544-118-0x00000000003D0000-0x00000000008C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\75b762d3-c6f3-4241-8e92-0d95e7c04955.vbs

MD5 56f60bf9b68508280c61a98d40316198
SHA1 1f99b864a73a3a06b53ec7d7c42af22042cfea95
SHA256 4e0f40d44c7b109242a5e37055c4f90a5e24392aafc415fc2e9d7991f8d04b46
SHA512 956abd9975bec2b200c4db6b0408cfd5bc1ee7d7f2943cdee087710b629b9f8bae1facb252f572f3f11f1574bd656a502b11e54cd5138d92e7a69a090771ac9b

C:\Users\Admin\AppData\Local\Temp\tmp2BA2.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/1796-133-0x00000000012D0000-0x00000000017C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c5ea4966-79c0-49be-a63b-72fa42c5a7d5.vbs

MD5 d7dd9138d151e8223519a671c8ecb506
SHA1 fa6d7a4634701242cd0cdc8ed284ada50cbec2e5
SHA256 bd85344add2f1a458d34b31294b5341ed4ae7e5dee0bc07dc4a5540d0ae1d437
SHA512 993ad5ad56179d818b142df8c0de083c79641c90e9fdc8b98f2234cf8c444c1ace9128add5b3502d3b716e4f867b3ab5ad0574afdfaaabe5e0a6403bf991f003

C:\Users\Admin\AppData\Local\Temp\f0ea3bac-16c3-43b1-91fc-f9f84830bd4e.vbs

MD5 7fd1ee5d5da2b5690dfca83ae4eee495
SHA1 5a6ae9c75e752cbe9133c53375f6256cda7d59b0
SHA256 a2786e3de434d017828e25ae4e860e69b91205598ed6043595f70c57808b4d31
SHA512 efc1eee53e4c1f9c92d2bead1a7aba273e5cb232d17cc294e0d32443f6fa25383f7187e2d9ab6362605f37ead180326dddb172122ab176fbb0f4a1c1e9986d97

memory/1052-162-0x0000000000050000-0x0000000000544000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f2d39159-5ce2-4d2e-b744-6507c95fce02.vbs

MD5 27a976e9be204073c1fc36e5e7a07241
SHA1 3af6b4be37501e5f8a6c663bf1540242e9dcff44
SHA256 023e30153faaa129166b8e79cb109b353c89c4866cc33a7a36fb135cd7845fd8
SHA512 e214703c538352d16efacc11b4201ce8beb7ce4e3a25f961502e7d944a19c79fd75e3c62f58ba16264a4155b375ecdf3091830515b404b0980a7620f8bdc35aa

memory/2568-177-0x0000000000FC0000-0x00000000014B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\25807f83-3a7a-4d1c-b9db-0a0f75cbf6d7.vbs

MD5 8e609646e41e3e9586f5f6c66340f164
SHA1 eef9b581fbe28e0a0e765d5cbb061ba4778d7a25
SHA256 a216c9260af9ad4a63c15b43b0c296f87940a61324e54d3d0aff5460aea6424e
SHA512 e5f813553b6623937417f8d0a730fe5b1c9d0e2e9371b8c8360c2660794eb5563735a2cdea29ee5acfbba31c175671b914d7009644c50cfc97f867fdd1edb576

C:\Users\Admin\AppData\Local\Temp\22c19781-566c-4a68-9f5d-44c93249299b.vbs

MD5 c3340830a0f3fe69623f5cbabd3732a5
SHA1 3aeb259d97929b3426c8a36f717bdf6598835176
SHA256 6c2faa16ac80cecd4fde24aa6a6c7e4e26bc0b11bc55e2100ea5ced8e3a3436b
SHA512 ac3615b5b5b048f88333203e00cd976cc2054a275308f2d69ddc2c011521cac61e8c68aae8d9e7b2bde047065a574fbd7764425bee8e8e31a99c5196ca1bac1f

C:\Users\Admin\AppData\Local\Temp\95e7a595-b350-487b-809b-e7df9bdd45f4.vbs

MD5 2a64792bef073f01c64c794f36dfa59e
SHA1 40b5c8eb7c50c35c65077684ed430a27a7f0a1da
SHA256 167b7da0a34242b7d4aaf606a7000099a1f526586f3bcc40fe7643a530911825
SHA512 701160fb5ff9ec1461dc883ae725234f703b9081eb7218eb07483b192a15f730f3979f8b240f57d77292787d102997cea798cf530abd3aa8e34f7d80381dfa9f

C:\Users\Admin\AppData\Local\Temp\1083acf3-71b8-450b-bc40-c3523bfa1158.vbs

MD5 dcf7b2cd1ab04a649ee6a40fe8ee5f3f
SHA1 62fff7f3552631965321180055d571a5e01ee58b
SHA256 f215726aa69fff35fc8e20ae9a3ea512bddb3c021fdcff8a8b9a93edc7566714
SHA512 ae9e5781f8b7887825349a73a8db1c06f03e0eebd633b0b6a67160552be6c8f5a363b19fc8e8abf23cc34c980634d4f4877678c8fafc706678cf8c5968c27d26

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-16 23:02

Reported

2024-11-16 23:05

Platform

win10v2004-20241007-en

Max time kernel

116s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe"

Signatures

Colibri Loader

loader colibri

Colibri family

colibri

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp63C6.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp63C6.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp63C6.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC80E.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC80E.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF94F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF94F.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7B12.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7B12.tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office 15\wininit.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files (x86)\Windows Mail\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\RCXD7B8.tmp C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RCXE6E2.tmp C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RCXE963.tmp C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files\Microsoft Office 15\56085415360792 C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\RCXEB77.tmp C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files (x86)\Windows NT\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files (x86)\Windows Mail\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCXD9EB.tmp C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\RCXDBFF.tmp C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\System.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files (x86)\Windows NT\System.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files\Microsoft Office 15\wininit.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\RCXD370.tmp C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RCXDE14.tmp C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Offline Web Pages\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Windows\INF\ServiceModelService 3.0.0.0\0410\smss.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Windows\Offline Web Pages\RCXE4CD.tmp C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Windows\Offline Web Pages\lsass.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Windows\LanguageOverlayCache\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Windows\INF\ServiceModelService 3.0.0.0\0410\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File opened for modification C:\Windows\INF\ServiceModelService 3.0.0.0\0410\RCXE028.tmp C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Windows\INF\ServiceModelService 3.0.0.0\0410\smss.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
File created C:\Windows\Offline Web Pages\lsass.exe C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp63C6.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp7B12.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpC80E.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpF94F.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp63C6.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3764 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe
PID 3764 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe
PID 3764 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe
PID 2004 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe
PID 2004 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe
PID 2004 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe
PID 2004 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe
PID 2004 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe
PID 2004 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe
PID 2004 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe
PID 3764 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\cmd.exe
PID 3764 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe C:\Windows\System32\cmd.exe
PID 3208 wrote to memory of 3812 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3208 wrote to memory of 3812 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3208 wrote to memory of 4012 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe
PID 3208 wrote to memory of 4012 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe
PID 4012 wrote to memory of 3248 N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 4012 wrote to memory of 3248 N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 4012 wrote to memory of 4720 N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 4012 wrote to memory of 4720 N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 4012 wrote to memory of 2940 N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe
PID 4012 wrote to memory of 2940 N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe
PID 4012 wrote to memory of 2940 N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe
PID 2940 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe
PID 2940 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe
PID 2940 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe
PID 2940 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe
PID 2940 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe
PID 2940 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe
PID 2940 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe
PID 3248 wrote to memory of 5108 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe
PID 3248 wrote to memory of 5108 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe
PID 5108 wrote to memory of 1676 N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5108 wrote to memory of 1676 N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5108 wrote to memory of 1268 N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5108 wrote to memory of 1268 N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Windows\System32\WScript.exe
PID 5108 wrote to memory of 4008 N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe
PID 5108 wrote to memory of 4008 N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe
PID 5108 wrote to memory of 4008 N/A C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe
PID 4008 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe
PID 4008 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe
PID 4008 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe

"C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Public\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Public\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\INF\ServiceModelService 3.0.0.0\0410\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\INF\ServiceModelService 3.0.0.0\0410\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\ServiceModelService 3.0.0.0\0410\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\wininit.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\84wKLR6hpV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe

"C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7b7bd9b-b9ef-4ef2-b6fd-9a5bdce0d1cd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aca8fc67-96ba-4398-b44b-47fd931e9e87.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1345.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe

"C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5c76cf9-6bba-45a3-bd3e-6746a6eeeec1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d06a09ed-a0a5-44db-bf25-7fade05014b0.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp318B.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe

"C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\302da00b-ae5d-4812-b7b2-45296c67cb21.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a92fe52-ee46-418c-a457-ba410fcd12d7.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp63C6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp63C6.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp63C6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp63C6.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp63C6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp63C6.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe

"C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25c8d552-c281-4594-862c-8faa607d7616.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a25253f6-641d-4989-ac51-292d184ac143.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe

"C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c8a7b53-5980-4102-b381-0f15709a7029.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75b6fbfc-157e-4d5a-8ca6-d98cc986a560.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpC80E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC80E.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpC80E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC80E.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe

"C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48cc8432-2aca-441c-b0b4-a077b1ebb800.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3c9b4af-3b67-4d43-9e05-46236cac0ac0.vbs"

C:\Users\Admin\AppData\Local\Temp\tmpF94F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF94F.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpF94F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF94F.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe

"C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40eaea42-78a4-4891-b6eb-9e9c5890b75e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a737fa3-fecc-4bc6-ad22-b34dca623e6d.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp18FD.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe

"C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a2db495-c259-43ed-a8b4-7d897412e15b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43947951-3f2f-4663-9df5-d68075747510.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4A1F.tmp.exe"

C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe

"C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e9d8b41-deb1-47b1-bac2-8af1ce62cfeb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4524b207-373e-447e-bb72-9b3062fc1175.vbs"

C:\Users\Admin\AppData\Local\Temp\tmp7B12.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7B12.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp7B12.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7B12.tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 81888.cllt.nyashteam.ru udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 8.2.21.104.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
US 8.8.8.8:53 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx udp
US 104.21.2.8:80 81888.cllt.nyashteam.ru tcp

Files

memory/3764-0-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

memory/3764-1-0x00000000002F0000-0x00000000007E4000-memory.dmp

memory/3764-2-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

memory/3764-3-0x000000001B4F0000-0x000000001B61E000-memory.dmp

memory/3764-4-0x000000001BC70000-0x000000001BC8C000-memory.dmp

memory/3764-7-0x000000001BC90000-0x000000001BCA0000-memory.dmp

memory/3764-6-0x00000000029A0000-0x00000000029A8000-memory.dmp

memory/3764-5-0x000000001BCE0000-0x000000001BD30000-memory.dmp

memory/3764-9-0x000000001BCC0000-0x000000001BCD0000-memory.dmp

memory/3764-8-0x000000001BCA0000-0x000000001BCB6000-memory.dmp

memory/3764-10-0x000000001BCD0000-0x000000001BCDA000-memory.dmp

memory/3764-11-0x000000001BD30000-0x000000001BD42000-memory.dmp

memory/3764-15-0x000000001BD60000-0x000000001BD6E000-memory.dmp

memory/3764-14-0x000000001BD50000-0x000000001BD5E000-memory.dmp

memory/3764-13-0x000000001BD40000-0x000000001BD4A000-memory.dmp

memory/3764-12-0x000000001C270000-0x000000001C798000-memory.dmp

memory/3764-17-0x000000001BD80000-0x000000001BD88000-memory.dmp

memory/3764-16-0x000000001BD70000-0x000000001BD78000-memory.dmp

memory/3764-18-0x000000001BE90000-0x000000001BE9C000-memory.dmp

C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe

MD5 13b6da3b2c4cb91d305cf9bf20998000
SHA1 99c9b99ae564f1861ee2994eb345c16b2d505048
SHA256 2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0b
SHA512 853e2a327e2a1c5708d5ea12a48c8ebedf7ccea9ba14d2d693681ec892222bdbc1ac23af21d03f1d3cf11273f9a0f15a6577c385d27c4a5868ee9a567295d6c9

C:\Users\Admin\AppData\Local\Temp\tmpD0FD.tmp.exe

MD5 e0a68b98992c1699876f818a22b5b907
SHA1 d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA256 2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512 856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

memory/2356-64-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Recovery\WindowsRE\RCXE2B9.tmp

MD5 fae0ea39845c3c29ff6af6439894448b
SHA1 3cfc2521d87700c547e9d9d2c264b2ffa8d8db0c
SHA256 c0c51d36c29ebbbaadffeb63fa4e32a922760225ef469af9119aa600ac050b6a
SHA512 90e68a41413de01645c83e621e7bbfece158bf7ec827557ed2c99f4b74d7b860efcf7eb3ecadf8f9fc1139baf57fce5d694a710dbe513ca4408e4d16e73128c3

memory/3764-134-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

memory/3764-149-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

memory/3764-156-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rtj42qwa.3n3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/528-175-0x00000144AFE50000-0x00000144AFE72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84wKLR6hpV.bat

MD5 966c48c0440c4ae50e4b70efe21891b3
SHA1 75805940c16cf236d5d6ee1175a3e2f9dfcb728a
SHA256 6d25c029dde2957058ec1a4660ddb85314011311ac83256cb0c077cdec7fe03d
SHA512 267eca2a1b667570dc64dd5c6797e4756c8a9117de15f6d621db1036f743b4cae888f958322002ff9f43d5f5b89963a82a2cec837b337dc187e35e662a31fd30

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1ca947063bf8c58838fa7455bd0b36d6
SHA1 045ce9620e4c4df8225e72dd1f5e6a3e2b977e53
SHA256 5eb2ec3df52dbc0b6404dc0fb61f76fc4cd510f56a799140fdece2e626da6142
SHA512 5e20dc999d0103d9927ab3ea3c272977e74cb0b63c0e533b9ea20094713155a4cd7d918dce6f50ccc6a3c6217439ae6bca87f44c6fc5752f9107a0e1efb8601b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c47b3f4e68eebd47e9332eebfd2dd4e
SHA1 67f0b143336d7db7b281ed3de5e877fa87261834
SHA256 8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA512 0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Temp\b7b7bd9b-b9ef-4ef2-b6fd-9a5bdce0d1cd.vbs

MD5 ab4376aac2ce1890a3f55a0101a06529
SHA1 b5aac46df83235d85ad9748260c8824bb2988c22
SHA256 b64439c99879694253635733a10bd8e1f35852717c4587e43a6c6115560dd39f
SHA512 ee8d8044c75e20b7d7d9699f51ad6e2a3eeea163f106c36ed3a746c875b5c0d8f4de9d1a2962bccf683d79b80803aec345a7539289edaa37129ff9311c2220af

C:\Users\Admin\AppData\Local\Temp\aca8fc67-96ba-4398-b44b-47fd931e9e87.vbs

MD5 28adf02a820b0d06b644321c90c78248
SHA1 8a0b62e9ea2418e1acaebfa8f83c6f7b2930ce1a
SHA256 0a857a8112b3a7bb00a44234e020bbe2b1a93c298e282440406891e0506089b8
SHA512 cfcf84057a0a37e4bb2abbf86fc025548b4ff8932c79c1274963a67ea6d3e9925cd4feb56d08b693c1047f1d76fa6ec77121840e89d573d0eb40513ad497023a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

C:\Users\Admin\AppData\Local\Temp\a5c76cf9-6bba-45a3-bd3e-6746a6eeeec1.vbs

MD5 8754ee8a02f1120ece62657b453cdc4e
SHA1 e6f20540cdf1b57a93a488f168fb023e3e525c99
SHA256 ebd54d0735649d85c345994511220a94056a48f590e5fc7bbfb99c5008bc27fc
SHA512 5734fe41cf244a5698db7cdeaf1ff488c9ad391c66ad5feb06ca714c0cbe36b4286ce2186514b3178fb22f061096adcac6c3ec307336f920fa14d972c6587630

C:\Users\Admin\AppData\Local\Temp\302da00b-ae5d-4812-b7b2-45296c67cb21.vbs

MD5 f1b31b2ec7195f98054feeacd7758237
SHA1 44c91c30218e51829d75245517b6ad136ddf9a68
SHA256 5d46b255d363c6087f6e72cc76b323b4168d0d50e4c793bd90f09f0be28a967d
SHA512 6a99bebca5e8ffefcea020f8f7b97b78b339095dd309316d73c6d7ab1d8c8a1c4197f20897a72a773ac163a86f48a0f77870b9dbdecaf359109e2eadb9a52669

C:\Users\Admin\AppData\Local\Temp\25c8d552-c281-4594-862c-8faa607d7616.vbs

MD5 1bb7e9886e1e145406ad82f844970700
SHA1 a8bede6b30f07b39a64ca1aa05a6abf634d82aa6
SHA256 74a5c6279d3681637a37085a89c1ab70379a8002fa1341b8e6639088c0293dab
SHA512 2bd7269d487a10198776d0a4a39ebcae3fde328a679b9b4849e3b4cc44c88f80042a2a74981436e9a0f4d12e2e448c531fe5f127479ab1d533af76854dbedd8c

memory/2080-379-0x000000001BCE0000-0x000000001BDE2000-memory.dmp

memory/3792-381-0x000000001BA90000-0x000000001BAA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5c8a7b53-5980-4102-b381-0f15709a7029.vbs

MD5 a861fdf09ab5a18a177f77800092d76b
SHA1 9a711a7a8f0327bcf729ad77750c9dfd7ccbd21e
SHA256 be8269ffded2f62701b339f14a44552abfab38a7401d79b6648ae122be57822d
SHA512 68855da0dc2876fbd6ea045c4f284506ac7782ffc7ccf31cc67ae568956c7d2dc0b05a75ed6acf93a23ba471307ef2463558619b397d789f375f8dff3c6c0f7e

memory/3792-404-0x000000001CF50000-0x000000001D052000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\48cc8432-2aca-441c-b0b4-a077b1ebb800.vbs

MD5 99bc1696825934472f4f958a321f0c17
SHA1 4b96d5e2c172b6ba349871a2f6c18316e88ec322
SHA256 ac272f2506b0e23484d506540bafe92204f8ee2d29f7e05576d0451a19fe6cb5
SHA512 28370b34a0a600bff96599113952f0be591933bd8cfcea104f67d65b3d12040cfa1dcf3cf5382959d75154d3a1b93d56412f9d171ab913ab5db720613ce46c25

memory/5116-428-0x000000001CFE0000-0x000000001D0E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\40eaea42-78a4-4891-b6eb-9e9c5890b75e.vbs

MD5 31c163bbf3e8c7b8b549e7df1f62a108
SHA1 07a11c3837f0f4e6b2051681707f7463e72b45d8
SHA256 2dbf81835d8eb519372890446f2fba891bafadecd9fd71493a470f6b8dc94c7f
SHA512 a4fbd8a9998d26ed86231d06d0e3c24808dd8a607eda7e3deb9ae9c1c3b5d54ca43a12f856682b89cd2532a77c9b8c1ad13d5f93eff2912d50a2406b9b04be67